How to… (dealing with certificates)

	How to… (dealing with certificates) Certificates must be in PEM format and may need hashing in order for OpenSSL to find the correct certificate. This section describes: How to convert a number of formats to PEM format. How to generate hashed file names of certificates. Other commands that may prove handy at some point. To find out which server certificate is required To find out which server root certificate is required by a secured website or web service, use the OpenSSL command openssl s_client –showcerts –connect host:port. For example:: `openssl s_client -showcerts -connect ccapi.client.qvalent.com:443` In the output of the command you will find the certificate chain that is used by the secured connection. Look for the words “Certificate chain”. Under these words you will find text that resembles the following: `0 s:/C=AU/ST=NSW/L=Wallsend/O=QVALENT Pty Ltd/OU=Terms of use at www.verisign.com/rpa (c)00/CN=ccapi.client.qvalent.com i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign` `-----BEGIN CERTIFICATE-----` `-----END CERTIFICATE-----` `1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority` `-----BEGIN CERTIFICATE-----` `-----END CERTIFICATE----- ---` You may have noticed that the issuer of a certificate (preceded with “i:” in the output) is the subject of the certificate (preceded with “s:” in the output) that is next in the chain. The required root certificate is the one whose subject equals the issuer of the last certificate in the chain.