中間CA証明書が正常にインストールされているかをopensslコマンドで確認する方法
こちらの解説によると中間CA証明書がインストールされていない場合にPC上のブラウザでは補完を行うが携帯端末では情報の保管を行わないためにSSLのエラーになってしまう事があるそうなのですが、
openssl
コマンドで状況を確認するときに出力のどこを見ればいつ期限が切れたかがわかるのでしょうか?
globalsign-のルート証明書の件について という記事を参考に
$ wget https://jp.globalsign.com/
--2015-02-12 20:41:25-- https://jp.globalsign.com/
Resolving jp.globalsign.com... 198.41.214.156, 198.41.215.156
Connecting to jp.globalsign.com|198.41.214.156|:443... connected.
ERROR: cannot verify jp.globalsign.com's certificate, issued by `/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2':
Unable to locally verify the issuer's authority.
To connect to jp.globalsign.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
してwget
だとエラーが出ることは確認しました。
それと$ openssl s_client -connect jp.globalsign.com:443 -showcerts
コマンドで以下の出力になることを確認していますが、期限切れについての情報は自分には見つけられませんでした。
$ openssl s_client -connect jp.globalsign.com:443 -showcerts
CONNECTED(00000003)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/businessCategory=Private Organization/serialNumber=0110-01-040181/1.3.6.1.4.1.311.60.2.1.3=JP/C=JP/ST=Tokyo/L=Shibuya/street=26-
1 Sakuragaoka/O=GMO GlobalSign K.K./CN=jp.globalsign.com
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
MIIHkDCCBnigAwIBAgIMeE3tF6LAhw5MF6WZMA0GCSqGSIb3DQEBCwUAMGIxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTgwNgYDVQQDEy9H
bG9iYWxTaWduIEV4dGVuZGVkIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMjAe
Fw0xNTAxMjMwMjMxMDNaFw0xNzAxMjMwMjMxMDNaMIHRMR0wGwYDVQQPDBRQcml2
YXRlIE9yZ2FuaXphdGlvbjEXMBUGA1UEBRMOMDExMC0wMS0wNDAxODExEzARBgsr
BgEEAYI3PAIBAxMCSlAxCzAJBgNVBAYTAkpQMQ4wDAYDVQQIEwVUb2t5bzEQMA4G
A1UEBxMHU2hpYnV5YTEZMBcGA1UECRMQMjYtMSBTYWt1cmFnYW9rYTEcMBoGA1UE
ChMTR01PIEdsb2JhbFNpZ24gSy5LLjEaMBgGA1UEAxMRanAuZ2xvYmFsc2lnbi5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCrr8ESC0H8erg51T3
O666u0oJe6E1fx6slXawZTHFcnOjYa1csEZj4hr2WAqQv2HLkgwjOejg1xeN1/GJ
S5J/1gX8PiAAqwwR5DkUXCDMgeS8B9iOvYfnieaM0au/ohyMFyPa//SRmMFwBzOe
9EoQ6ToYRKXDLwo7JAWrIl+lgj+QZxUWCu1xax4B9Dktv0DEsXkgSSNwfbzG66gI
OqMoPjSxliGYoEHjhBD9BAT7veHro1fcB689jZpZy5qEJYm1C/we1WU1NlCIgZW3
r5qYj9vTHFpGR233dUhbStyuagBBwA6clEvz5WNwDkLcvTPQ8urQADfhIin/9hxD
1FRFAgMBAAGjggPUMIID0DAOBgNVHQ8BAf8EBAMCBaAwTAYDVR0gBEUwQzBBBgkr
BgEEAaAyAQEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
b20vcmVwb3NpdG9yeS8wQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5nbG9i
YWxzaWduLmNvbS9ncy9nc2V4dGVuZHZhbHNoYTJnMi5jcmwwgZQGCCsGAQUFBwEB
BIGHMIGEMEcGCCsGAQUFBzAChjtodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29t
L2NhY2VydC9nc2V4dGVuZHZhbHNoYTJnMnIyLmNydDA5BggrBgEFBQcwAYYtaHR0
cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzZXh0ZW5kdmFsc2hhMmcyMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAJBgNVHRMEAjAAMDMGA1UdEQQsMCqC
EWpwLmdsb2JhbHNpZ24uY29tghVlLXNpZ24uZ2xvYmFsc2lnbi5jb20wHQYDVR0O
BBYEFM+wSVoWN0GnoGFZhl47qY3fz+OBMB8GA1UdIwQYMBaAFNpAd0NlHPj+p+P0
ZII+TUMTIjECMIIB8wYKKwYBBAHWeQIEAgSCAeMEggHfAd0AdQBo9pj4H2SCvjqM
7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAUsUoOiGAAAEAwBGMEQCIFDpbMPCSZVT
+TVT/giIldH9jZC9O+EN7Ue7q3cav1o9AiAnJZH+KBLBeFXLcfpYHlyhct6k192I
oIjggp71t3hQXgB1AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAAB
SxSg79sAAAQDAEYwRAIgDkBLdLtOQVwLubMkMNU1F8FRa/ys8V5W8EKZpfTsRZ0C
IFqsdtOH+XL2+wY3iCgS5ARIMGcL9sxHhZfWLhqfU28cAHUA7ku9t3XOYLrhQmkf
q+GeZqMPfl+wctiDAMR7iXqo/csAAAFLFKD+DAAABAMARjBEAiBUNPJJ9qjkTvVa
5g8aXJwS+MhkE10lpd47eorB9TKBuwIgcY7BfTSEZvbJbOGGqWxITPRTId8nuI3w
BNyvk8NiPLEAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAUsU
oQKLAAAEAwBHMEUCIQCG9KCaQxQVBDSdrHCEXLXifPiE8hiRiQ08uWgeDOEGpAIg
Enwvy003ocbQBvV78SVpJYF4BGIejuazVKvbP9mBuH4wDQYJKoZIhvcNAQELBQAD
ggEBAFjN1+MRRIVwq7pmj9ErQ5D305QpXaokvlxZ4wGlw1gNvWLbH6Jj1vXlLoFu
JqCUxKvQUmzoZKWRMkKX/yjKiFvw8Cb4abr4XT7DfbjHnJryH1M63lgKsattN6BH
kTp/0jiYF/Q7oYWBH0zQ0KQLfGWzupUf8Y1gnxgTduukKky9J3s9Vxe5+Dl3QPwV
1YTuLK8UHFGrxQSnYNzsnrYF3q3cSYiBHAeUzMFI8fYULWoHdzXoN78xi3AxH8Nj
kexuSwZGnUCtLOJ0OoTQg2TRFmkBSJCNHCxwWnOWdwQ6krT0znrGcon0oPhTpyG5
sZTsvwFeDcFq9xCAtWhBPRkz+ec=
-----END CERTIFICATE-----
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
-----BEGIN CERTIFICATE-----
MIIEXTCCA0WgAwIBAgILBAAAAAABRE7wSlUwDQYJKoZIhvcNAQELBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTQwMjIwMTAwMDAwWhcNMjExMjE1
MDgwMDAwWjBiMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z
YTE4MDYGA1UEAxMvR2xvYmFsU2lnbiBFeHRlbmRlZCBWYWxpZGF0aW9uIENBIC0g
U0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCj6qHS
w0nl9xxdr8OSQq+KPNzvTOYvXwwrn4pQMGbvTshPIUr25/JOG4xTV7CeyFv3uEZV
sxrtwmr+9BvsSEYOj+D74JEZ35kYby5Rr9r2mspkb5lUEHTqPMiqgE1DN/vIpH8F
nTeSvZgANVqvu1t0FQ68vMbpt4bn7q5NSwRMK6C0ZUi4wzrNdbs3yUrAARHZvz8V
hmAZazQgRvWGZg8k9Mxin5+eHf0QpJle8EHrsJT/LLM21usdpxdf385qd8eaxDJj
pwat8xIbnTByWQvrcusq0nd7kXfbAPzYb/Uv2HrFDDqge16Q852EWcgB2ZE3VuU6
U5OtYEknJdnh2oLXAgMBAAGjggEoMIIBJDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU2kB3Q2Uc+P6n4/Rkgj5NQxMiMQIwRwYD
VR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2Jh
bHNpZ24uY29tL3JlcG9zaXRvcnkvMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9j
cmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC1yMi5jcmwwPQYIKwYBBQUHAQEEMTAvMC0G
CCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjIwHwYD
VR0jBBgwFoAUm+IHV2ccHsBqBt5ZtJot39wZhi4wDQYJKoZIhvcNAQELBQADggEB
AEDvEpCDdJaK+Tq6m1lKM9PvTBMrtZHLyZbtbvVsZPHGhLJGWVpYglLxNKBUQWQg
q9hXO9QUdHEYNswTwcdwwPVFZg5xroevkpTrcUAJ9Mx39xuThYpKrjOF5nSu9RCm
PslZg8P5XJb5KPc0e+k4xpE8T3FYdf7hVnV2zUDEFUA5qUH9ZBAPl4UH6Hlk0FtN
TJsnl9NzXpJ+H0jiyrkFl07vLBxrTYpfeFOVzQI5wi/maU/2cdGZtX9tIN5Dj9sA
G6M7N97RP23ztpB2Haydb4RPJJQJduCdqE33TTePpC9fS0HkSRaXzHtsrxHKllQJ
iyRRrl3tovG7UxBNl/oadwM=
-----END CERTIFICATE-----
---
Server certificate
subject=/businessCategory=Private Organization/serialNumber=0110-01-040181/1.3.6.1.4.1.311.60.2.1.3=JP/C=JP/ST=Tokyo/L=Shibuya/street=
26-1 Sakuragaoka/O=GMO GlobalSign K.K./CN=jp.globalsign.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 3718 bytes and written 432 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 7424ED1C107C03074A5D03917D9E20DBDE47FEDCEE5082A4C8E578B72D8A4C4B
Session-ID-ctx:
Master-Key: 91637E390AE072301B462D1E18833BF397382935373755A77F62E72C209C2B219C36D21DA645BEBD2D369B70F16EC4B9
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - cc b5 d7 9c 8b 78 b4 df-3a 0b 5f d7 bd 86 63 10 .....x..:._...c.
0010 - 49 00 38 4d 47 91 a3 d9-95 db 5b 52 a7 94 45 df I.8MG.....[R..E.
0020 - f2 16 9f 00 98 ed f1 f3-60 f7 dc 76 01 d6 c1 85 ........`..v....
0030 - b9 67 d2 7a 22 b3 31 16-34 6b 36 96 8d 32 cf 55 .g.z".1.4k6..2.U
0040 - 30 b8 de 99 76 11 3c 2a-29 fa cc 97 a3 03 4a 11 0...v.<*).....J.
0050 - 98 d4 b2 0b 40 7d 5a cf-5b 1d 66 10 df cd fb 4d ....@}Z.[.f....M
0060 - 37 ec bc 7e 2e 02 83 ac-3c fd e0 27 24 a5 99 ee 7..~....<..'$...
0070 - ed 4a 7b 68 fb d8 5b 87-f7 fa ea fe fb 90 86 ca .J{h..[.........
0080 - dc 25 03 93 81 04 c8 f0-34 33 1e a4 42 54 5b 2d .%......43..BT[-
0090 - 1c 13 ef e7 ec 47 10 9a-cc 28 52 b2 92 ce 76 6a .....G...(R...vj
Start Time: 1423741379
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
closed
追記
環境を記載していませんでしたので追記しておきます。
Windows 7 上でVagrantを使いUbuntu14.04をインストールしてその中での操作結果になります。
追記2
GlobalSign_Root_CA.crt
の有効期限を確認しましたが有効範囲でした。
$ openssl x509 -noout -dates -in /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt
notBefore=Sep 1 12:00:00 1998 GMT
notAfter=Jan 28 12:00:00 2028 GMT