Wednesday, December 18, 2013

OpenSSL: verify a windows code signing cert on linux

HOWTO test the signing chain of a windows code signing cert. You'll probably need to convert it to pem first:
openssl pkcs12 -in signing_cert.pfx -out file.pem
openssl verify -verbose -purpose any file.pem
Chances are pretty good that you'll be missing an intermediate signing cert, and the cert issuers don't make it particularly easy to find them. Your best bet is to google the CN from the issuer. Once you have the intermediate you can tell openssl about it using the "untrusted" option, which is helpfully missing from the verify commandline documentation.
openssl x509 -in file.pem -text -noout
openssl verify -verbose -purpose any -untrusted intermediate_untrusted.pem file.pem

No comments: