Lets say I start with a certificate.
Using openssl I can print it out like this:
openssl x509 -in cert.pem -text -noout
And I'll get some output such as Validity, Issuer and Subject along with Authority Key Identifier and Subject Key Identifier.
How do I use these fields to work out the next certificate in the chain?
And then once I obtain the next certificate, work out what that next certificate should be etc.
Basically I'm wanting to work out the full chain and get things in the right order for the EC2 load balancer. Since Network Solutions don't seem to just give you a bundle that works. They give you individual certs and I've tried and tried lots of different orderings for EC2 and still haven't gotten it to work. My last bet is to try openssl and work this out manually rather than guessing.
The
X509v3 Authority Key Identifierin theopenssloutput for the child key will match theX509v3 Subject Key Identifierfor the signing key.For example, for this site's SSL cert and its parent certificate:
51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3Bis what establishes on the child cert what cert signed it, you should be able to use that to find the correct authority certificates.It is important to note that the intermediate certificates are not specific to your domain or certificate. So, every certificate issued that is like yours, has the exact same intermediate certificates.
You can think of them a bit like the routing number on your checks. The routing number is needed, but really says more about your bank than it does about you. Your account number, or your certificate in this case, is what is unique to you.
Because of the generic nature of the intermediate certificates there are websites like this one:
https://www.ssl2buy.com/wiki/ssl-intermediate-and-root-ca-bundle
That have all of the intermediate certificates pre-bundled (and in the correct order) for different certificate issuers.