Verify certificates with OpenSSL

Issue

Check the host and intermediate certificates with a CA certificate to verify the authentication chain before importing them into EBO servers.

Product Line

EcoStruxure Building Operation

Environment

• Enterprise Central
• Enterprise Server
• Automation Server
• Edge Server

Cause

Certificates are provided and can be assigned incorrectly or to the incorrect server; therefore, they do not function as expected.

Resolution

1. Verify you have the following:
   1. Host certificate in PEM file format
   2. Intermediate Certificates in one pem file, not including Certificate Authority (CA) cert
   3. CA Certificate where Issuer and Subject Name are the same, indicating it is self-signed.
   4. OpenSSL is installed on the computer with the files. Use OpenSSL installed with EBO or install as mentioned in Ensuring the SSL Host Certificate and key file are a matching pair
2. Use this command: 

   openssl verify -CAfile ca.pem -untrusted intermediate.pem server.pem​

3. The explanation of the command is as follows:
   1. openssl verify: This initiates the certificate verification process.
   2. -CAfile ca.pem: Specifies the path to the PEM file containing the trusted CA (Certificate Authority) certificate.
   3. -untrusted intermediate.pem: Indicates the path to the PEM file containing the intermediate certificates. They are marked as untrusted because the system does not directly trust them, but their validity will be checked against the CA certificate.
   4. server.pem: Specifies the path to the PEM file containing the host server certificate you want to verify.
4. The expected responses are: 
   1. server.pem: OK: Verification successful, indicating the server certificate is valid and its chain of trust is established.
   2. Error messages: If any errors occur during verification, they'll be displayed in the output. Common errors include certificate expiration, invalid signatures, or missing intermediate certificates
5. Additional information:
   1. Ensure the file paths are correct and the certificates are in PEM format
   2. Ensure the host and intermediate certificates are installed on the server device and the CA Certificate on the client device.
   3. If you encounter issues, double-check the validity of the file permissions and certificates.
   4. For more detailed output, add the -verbose option to the command.
   5. To check expiration dates, use 

      openssl x509 -in server.pem -noout -dates