PKI Engineers know - OpenSSL > Certutil GUI - OpenSource FTW!

in #hive-1365153 years ago

For your certificate validation needs, OpenSSL is vastly superior. Made this meme to commemorate this fact.

img_0.07219532862423983.jpg

Why?

  • OpenSSL is open source.

https://github.com/openssl/openssl

  • OpenSSL can perform OCSP validation using certificate serial number as parameters.

Yeah yeah so you gotta add the Issuer and CAfile PEM file for your chain or root CA but that's not rocket surgery. With OpenSSL, DER encoded certs can be easily converted.

  • OpenSSL is more forgiving of network conditions and packet sequencing issues. This one is based on my experience of Certutil flipping me the bird when packets were received in an order that was not expected.

Did I mention it was open source?

So, all these reasons and more as OpenSSL provides a robust suite of functionality when working with SSL / TLS certificates or managing a Public Key Infrastructure. It's really been a life saver!

Certutil does have it's uses though. If you need to easily validate based on extensions burned into any given cert, it's a good tool but as I stated has it's shortcomings.

Now, as much as I would like to say OpenSSL is the best thing since sliced bread, it does have room for improvement in my opinion.

OpenSSL room for improvement (Maybe)

For example, when using OpenSSL to load CRLs (Certificate Revocation Lists), there is not option to limit results. This means if I want to obtain a cert serial number from the CRL for purposes of validating against OCSP, I need to download the entire CRL which is a record of all revoked certificates containing metadata about that revocation.

For my purposes, that is less than ideal but I am not sure if it would be possible to decode a portion of a CRL file, specifically it's last or first entry that the serial number may be parsed from the output.

If a section of an encoded CRL can not be decided, then I guess the next best bet would be to define a standard or protocol in which the last CRL entry may be obtained rather than the entire record.

Think of it in blockchain terms...

I want to obtain the last transaction without downloading the entire chain. Think, if a solution exists, it will depend on my understanding how CRLs are encoded. Specifically Distinguished Encoding Rules (DER) or Base64 encoding (PEM).

If I figure it out, I'll update this post 👌

Sort:  

very good article my friend. greetings from me, have a nice day

Thank you very much!

thanks again friend.

For decoded a portion of a PEM file, it seems possible although the requirement seems to be padding the file with characters so that it is divisible by 4.

This sounds like a pull request for someone that is smarter than me on their repository. Maybe I could do it but it sounds like a challenge.

https://stackoverflow.com/questions/42426346/is-it-possible-to-base64-decode-part-of-a-base64-encoded-message