How to validate X.509 certificate?

Question

I have a following expired X.509 certificate:

$ openssl x509 -in openvpn.net -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:fa:55:a7:80:b5:b5
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
        Validity
            Not Before: Dec 10 20:42:04 2013 GMT
            Not After : Mar  5 17:46:58 2014 GMT
        Subject: OU=Domain Control Validated, CN=*.openvpn.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d8:1c:cd:03:64:34:52:e3:6a:fd:96:10:4d:76:
                    c6:33:f8:70:fb:6c:0d:93:ac:3c:49:1b:bf:c4:9a:
                    c3:b5:08:87:c8:1c:fc:81:64:91:41:45:81:e0:70:
                    63:69:e0:86:ec:e1:48:84:26:2f:3f:4b:7d:6d:6c:
                    88:bc:44:11:ff:72:b1:32:d9:30:24:e4:78:78:0c:
                    fb:73:5d:43:05:4e:5c:5a:05:f7:85:e0:69:c9:b8:
                    ca:7d:0a:33:b9:12:ee:ff:ed:20:7b:8d:04:89:05:
                    74:80:7a:5c:4a:39:07:70:14:56:31:59:ae:4f:6f:
                    3d:5d:c6:36:00:b6:aa:7e:45:6b:bc:cb:4a:8f:cc:
                    20:69:f6:39:ec:29:e9:6a:14:6e:42:ca:99:d1:d7:
                    08:23:31:5c:5b:b3:48:13:01:fe:bc:44:34:62:c7:
                    81:2e:4e:74:1e:73:42:b3:5f:ee:23:55:9f:62:d0:
                    46:5e:c2:00:14:7b:b5:e5:26:40:12:a6:32:50:22:
                    b3:a6:df:b6:a3:90:d4:39:ae:ea:3e:53:f5:58:89:
                    7a:b7:6a:d8:6f:d3:ae:1b:e0:7c:90:86:04:39:c3:
                    a3:c8:8a:52:5a:d5:83:e7:07:80:5b:b2:e2:7a:5a:
                    24:b2:d8:53:34:ad:2a:e2:d4:3a:57:5c:6e:3c:46:
                    58:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points: 
                URI:http://crl.godaddy.com/gdig2s1-6.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: http://certificates.godaddy.com/repository/

            Authority Information Access: 
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt

            X509v3 Authority Key Identifier: 
                keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

            X509v3 Subject Alternative Name: 
                DNS:*.openvpn.net, DNS:openvpn.net
            X509v3 Subject Key Identifier: 
                DA:4D:97:2B:F8:A2:C5:E9:9D:A2:E4:CB:56:01:0B:9B:74:24:01:01
    Signature Algorithm: sha256WithRSAEncryption
        9b:b7:07:59:02:0c:67:f3:c1:49:45:fe:30:9a:1a:39:19:cb:
        42:33:fc:62:02:29:fc:f5:ef:5d:61:36:4a:e2:c5:f6:52:04:
        57:81:28:18:77:60:c0:99:1a:4a:45:e5:f7:eb:03:36:d2:bf:
        9d:b6:93:38:98:06:b4:81:fb:5c:ff:e6:ef:7c:8d:ff:cd:5f:
        53:b1:10:23:03:38:12:12:a8:99:c8:35:a1:6a:60:ba:4a:f4:
        61:7f:96:cb:81:70:f3:c6:d8:2a:b5:69:b8:d9:56:0a:46:73:
        9b:d0:d7:c1:2f:9a:d8:94:ac:37:0b:57:80:f9:a1:ec:e1:bf:
        43:76:c6:ea:01:c6:97:c8:55:29:a8:b6:b9:19:bd:81:92:9a:
        a9:ec:be:b0:4c:3e:11:f5:8b:8c:8f:af:fa:f5:d4:4d:d7:77:
        c0:1f:aa:cd:f7:01:80:ad:62:d4:db:1d:e3:a0:23:77:2f:4b:
        ea:65:5c:9e:9c:46:bc:be:ce:f3:71:79:cd:19:c3:44:f5:49:
        de:4b:24:a5:8b:48:3e:60:4d:9d:dd:1d:50:35:66:6a:d6:96:
        77:7c:19:9b:66:e1:46:de:4e:c2:ce:c5:96:88:2c:d7:7d:cc:
        94:ac:1f:23:d4:a8:e9:6d:c0:f3:9f:a8:21:a7:fd:dc:25:95:
        6f:eb:e3:a0
$ 

As I understand, this certificate is issued from Go Daddy Secure Certificate Authority to *.openvpn.net. I think that in order to verify, that this certificate is indeed issued by GoDaddy, I should download one of the GoDaddy root certificated from here. However, which one? And how can I verify that the certificate above is indeed issued by GoDaddy using openssl utility?

Answer 1

Use openssl verify.

E.g.:

$ openssl verify -CAfile /path/to/issuer.cert /path/to/server.cert

In this case the issuer should be Go Daddy's intermediary cert and the server cert is the cert you want to verify. Which intermediary is the right one? Your x.509 output tells you:

Authority Information Access: 
    OCSP - URI:http://ocsp.godaddy.com/
    CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt

So the issuer you want is http://certificates.godaddy.com/repository/gdig2.crt.

In your OpenVPN config you can set the path to gdig2.crt as the ca option and that will be adequate for verification. It's good to check the validity of gdig2.crt all the way up to the root once for your own peace of mind, but as far as OpenVPN is concerned you can tell it to ultimately trust the intermediary with no loss of security.

Another form for the verify subcommand is to use CApath instead of CAfile:

$ openssl verify -CApath /etc/ssl/certs /path/to/server.cert

With CApath the path must be a directory containing multiple certs for all trusted issuers (including intermediary CAs and root CAs), then run c_rehash /path/to/directory/. Your distribution will probably have done this for you if you have the ca-certificates package installed.

Notice about verification failures

There are incompatibilities with openssl between 0.9.x and 1.0.x. If you have a certificate that you think should verify but isn't, then you're probably verifying with a 0.9.x version of openssl. Find something with 1.0.x and try again.

Answer 2

Look in the Authority Information Access section on your cert. It'll tell you which CA to download. You can then verify that cert to see who issued it and continue up the chain.