cert-chain-resolver

command module

v0.0.0-...-bc8a60c Latest Latest Go to latest Published: May 25, 2016 License: MIT Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

README ¶

SSL certificate chain resolver

This application downloads all intermediate CA certificates for a given SSL server certificate. It can help you fix the incomplete certificate chain issue, also reported as Extra download by Qualys SSL Server Test.

See Releases for prebuilt binaries or build it yourself.

NOTE: In case of any troubles with Go you can try the deprecated shell script in shell branch.

Usage

NAME:
   cert-chain-resolver - SSL certificate chain resolver

USAGE:
   cert-chain-resolver [global options] [INPUT_FILE]

GLOBAL OPTIONS:
   --output, -o "OUTPUT_FILE"   output filename (default: stdout)
   --intermediate-only, -i      output intermediate certificates only
   --der, -d                    output DER format

Example

$ cert-chain-resolver -o domain.bundle.pem domain.pem
1: *.xxx.com
2: COMODO RSA Domain Validation Secure Server CA
3: COMODO RSA Certification Authority
Certificate chain complete.
Total 3 certificate(s) found.

Build

Dependencies:

Go 1.6

go get github.com/Masterminds/glide
glide install
go build

Tests

go test $(glide novendor)
tests/run.sh

Background

Incomplete certificate chain

All operating systems contain a set of default trusted root certificates. But CAs usually don't use their root certificate to sign customer certificates. Instead of they use so called intermediate certificates, because they can be rotated more frequently.

A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. This is the exact meaning of the Extra download message. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.

A server should always send a complete chain, which means concatenated all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.

You should be able to fetch intermediate certificates from the issuer and concat them together by yourself, this script helps you automatize it by looping over certificate's AIA extension field.

Other implementations

deprecated shell script (shell)
https://certificatechain.io/ (webservice)
freekmurze/ssl-certificate-chain-resolver (PHP)

Licence

The MIT License (MIT). See LICENCE file for more information. TL;DR

If you use my code in some interesting project, I'd be happy to know about it.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
certUtil

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL