How can find all certificates issued by Internet Security Research Group?

cd  /etc/ssl/certs
ls |wc -l
254

There are so many certificates in /etc/ssl/certs: 254.

How can find all certificates issued by Internet Security Research Group,or say related to Let's Encrypt?

https://www.openssl.org/docs/man1.1.1/man1/x509.html

openssl x509 -in somecert.pem -noout -issuer should be a starting point.

# openssl x509 -in cer.pem -issuer -noout
issuer=C = US, O = Let's Encrypt, CN = E1

I ran it on a leaf certificate but you can run it on a self signed root and get the info you want.

3 Likes

That command will let you analyze certificates, however...

ISRG/LetsEncrypt clients typically save their certificates into /etc/letsencrypt or their own dedicated directory. Offhand, I don't know of any LetsEncrypt clients that save certificates into the /etc/ssl/certs directory. In my experiences, the certificates usually found in the /etc/ssl/certs directory are either placed manually, or through an openssl package.

4 Likes

Indeed, isn't /etc/ssl/certs the location of the root store? The location is used by update-ca-certificates to update the Ubuntu root store, so that makes me believe this is indeed the location for root certificates.

@infoand What certificates are you looking for exactly? Could you please be more specific? End leaf certificates? Root certificates? Why do you ask?

5 Likes

It's a common location for CA-certificates, yes. It often contains both a collection of CA-certificates in individual files (or symlinks) and a single file ca-certificates.crt, that contains the "bundle" generally used as the trust store.

6 Likes

I believe Ubuntu (or Debian) decided to use /etc/ssl/certs for the root and /etc/ssl/private for userland certificates rather recently -- but a lot of other projects and distributions placed both under /etc/ssl/certs for quite some time.

Historically, there have been a lot of projects/software with documentation for placing commercially obtained certificates under /etc/ssl/certs. Many projects that utilize self-signed "snake-oil" certificates generated and automatically placed them in /etc/ssl/certs as well.

Anyways, there should be 3 types of "roots" under Ubuntu's /etc/ssl/certs:

  • a ca-certificates.crt file. IIRC, this is the OS Root Store.
  • symlinks to /usr/share/ca-certificates/mozilla . IIRC, this is via package managers
  • symlinks to other files in the same directory. I've always thought these were used as a lookup table for certs, via hashes of the private key - but I never learned the purpose of them.
3 Likes

Same as what you have explained before: Some software uses them, instead of the single-bundle file.

A noteworthy example is OpenSSL: OpenSSL by default reads all files/symlinks in <hash>.0 format from /etc/ssl/certs* (or whatever default path OpenSSL was compiled/configured with) and builds the trust store from there. From a short test on Debian, the ca-certificates.crt file seems to be not used at all. Looking at code, OpenSSL has apparently historically always supported both a single -CAfile and a -CApath.

The ca-certificates package from Debian/Ubuntu configures both upon adding/removing certificates.

*On my Debian 11 machine OpenSSL is in fact compiled with /usr/lib/ssl, with /usr/lib/ssl/certs being a symlink to /etc/ssl/certs. The default path logic in OpenSSL is a bit different from what you might expect (the default filename for the bundle seems to be cert.pem in the configured data directory).

4 Likes

Thanks! Wow! I guessed right!

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.