We are wanting to use two way certificate authentication using open ssl.
When we open s_server as follows, the client is able to connect to my server:
openssl s_server -accept 12345 -cert our-cert.pem
(our-cert.pem is our certificate.)
This works fine. However, my requirements are:
- Verify that the incoming certificate is valid with a trusted CA, and
- Verify the common name is what we expect it to be.
I have tried this:
openssl s_server -accept 12345 -cert our-cert.pem -CApath /etc/ssl/certs/
This allows the client to connect. But my questions are:
- How can I be sure that it is validating the incomming SSL is valid and issued by a CA?
- How can I validate the Common Name is what I expect?
Best Answer
For the server, you need to add the "-Verify " option to force the client to provide a certificate. The depth is the maximum length of the client certificate chain.
That should take care of question #1.
For #2, I'm not sure there is a way to restrict by Common Name using these OpenSSL commands.
You can see the OpenSSL documentation for the server/client commands here:
s_server
s_client