Categories
SysOps

How to match certificate and its intermediate counterpart

Match certificate and its intermediate counterpart by using X.509 key identifier extension.

All you need to do is to compare the authority key identifier to the subject key identifier.

The authority key identifier identifies the public key that corresponds to the private key used to sign a certificate.

The subject key identifier identifies the public key that corresponds to the private key used to sign an intermediate certificate.

Display key identifiers

Display the X509v3 Authority Key Identifier for the certificate.

$ openssl x509 -in certificate.crt -text -noout | awk ' /X509v3 Authority Key Identifier/ {getline;print gensub("^ +keyid:","","g",$0)}'
56:34:05:BF:44:72:56:3D:96:29:D3:FF:31:7B:EF:9D:45:49:39:A9

Display X509v3 Subject Key Identifier for the intermediate certificate.

$ openssl x509 -in certificate.intermediate.crt -text -noout | awk ' /X509v3 Subject Key Identifier/ {getline;print gensub("^ +","","g",$0)}'
56:34:05:BF:44:72:56:3D:96:29:D3:FF:31:7B:EF:9D:45:49:39:A9

Compare key identifiers

Compare X509v3 Authority Key Identifier to the X509v3 Subject Key Identifier to verify that certificate matches its intermediate counterpart.

$ CERTIFICATE="certificate.crt"; INTERMEDIATE_CERTIFICATE="certificate.intermediate.crt"; \
  (openssl x509 -in $CERTIFICATE              -text -noout | awk '/X509v3 Authority Key Identifier/ {getline;print gensub("^ +keyid:","","g",$0)}'; \
   openssl x509 -in $INTERMEDIATE_CERTIFICATE -text -noout | awk '/X509v3 Subject Key Identifier/   {getline;print gensub("^ +","","g",$0)}') |     \
     uniq -c | \
     awk '{ if($1 == 2 && NR == 1)  print "OK";  else { print "NOT OK"; exit(11);} }'
OK

Additional notes

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile