On Monday, 5 March 2018 14:25:40 GMT Adam Carter wrote: > On Monday, March 5, 2018, Walter Dnes <waltd...@waltdnes.org> wrote: > > app-misc/ca-certificates splatters a bunch of files all over the > > > > place. Question... is there a utility to figure out which domains any > > particular certificate covers
I assume you mean: "... which domains any particular *CA* certificate covers"? If yes, > A ca certificate may sign any domain cert, and new domains can be signed at > any time. > > So any certificate is only as trusted as the least trustworthy ca in your > certificate store.... some people call this a dumpster fire. Certificate > transparency (logs of who issued what) helps reduce the risk of a dodgy ca > issuing a certificate they shouldn’t have without being noticed. If no, what you wrote is exactly what you meant to ask, > You can go the other way, and see which ca was used to sign any cert that a > server presents, as that info is included in the cert presented by the > server. In this case, to examine the DN of the CA which signed a server certificate you need: openssl x509 -in server.pem -issuer -noout -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.