17.10 - Example: Using openssl to Examine a Certificate - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

You can examine the certificate to ensure that it conforms, using OpenSSL:

openssl s_client -connect server_name[:port] </dev/null
server_name
The directory server DNS name.
port
[Optional] The port where SSL listens.
Default: 636

This command produces output similar to the following example.

dlopldap:/etc/openldap/ssl/certs # openssl s_client -connect localhost:636 </dev/null
CONNECTED(00000003)
depth=0 /C=US/CN=dlopldap.td.teradata.com/emailAddress=dl160010@teradata.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/CN=dlopldap.td.teradata.com/emailAddress=dl160010@teradata.com
verify return:1
---
Certificate chain
 0 s:/C=US/CN=dlopldap.td.teradata.com/emailAddress=dl160010@teradata.com
   i:/C=US/CN=dlopldap.td.teradata.com/emailAddress=dl160010@teradata.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC5DCCAk2gAwIBAgIJAMvJ4ZlaGSiNMA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNV
BAYTAlVTMSEwHwYDVQQDExhkbG9wbGRhcC50ZC50ZXJhZGF0YS5jb20xJDAiBgkq
hkiG9w0BCQEWFWRsMTYwMDEwQHRlcmFkYXRhLmNvbTAeFw0wODA1MTQxOTA4NDJa
Fw0wOTA1MTQxOTA4NDJaMFYxCzAJBgNVBAYTAlVTMSEwHwYDVQQDExhkbG9wbGRh
cC50ZC50ZXJhZGF0YS5jb20xJDAiBgkqhkiG9w0BCQEWFWRsMTYwMDEwQHRlcmFk
YXRhLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0QT6CP33QKHsxUWq
jetyHWFtS2rnLPmpDK/tKj+O5Crv0pMlIXertRHy68swSBLm0w//xiVywwQkuA2w
se8Q80lQlBUJkfl9etuNZCrMqjusL3fvSaQlpOpLZLFdICuN+xxuGCqOKuARyI5d
1UkWcQ6r9hlPCGHxXrKlgHRYRIcCAwEAAaOBuTCBtjAdBgNVHQ4EFgQUamJoMI9/
TTS59BUTF1EWoEseNAwwgYYGA1UdIwR/MH2AFGpiaDCPf000ufQVExdRFqBLHjQM
oVqkWDBWMQswCQYDVQQGEwJVUzEhMB8GA1UEAxMYZGxvcGxkYXAudGQudGVyYWRh
dGEuY29tMSQwIgYJKoZIhvcNAQkBFhVkbDE2MDAxMEB0ZXJhZGF0YS5jb22CCQDL
yeGZWhkojTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAIUbbcrUG3Y0
VXdhAjlAKq95qryTeHE1wiDBmEe1UIC5KyyarGW9tA/sxaJ+9X/zrAwP1ymLn5n9
kIJt3gH7HjjrG1qzC7jRVoI0Yl/z+7QUKejGp0ph1gVl4VwFoRzxv+I2vIUuzyF3
dabR1Q0+lqgc1CHC001VEHEAK8v9k6q1
-----END CERTIFICATE-----
subject=/C=US/CN=dlopldap.td.teradata.com/emailAddress=dl160010@teradata.com
issuer=/C=US/CN=dlopldap.td.teradata.com/emailAddress=dl160010@teradata.com
---
No client certificate CA names sent
---
SSL handshake has read 906 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 1AC1C0A2959387177910D40DBC9EC81887C4A233D907F31BB8BA7EFA7E7E76D3
    Session-ID-ctx:
    Master-Key: 7C6DE241910B1820882D0833976FE4BF4704F163905C7540569C07D5708218A00C542D1E6846DB65E2DE04FD6F0CEC1A
    Key-Arg   : None
    Start Time: 1210794467
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
DONE

Explanation of the output:

  • The example shows one certificate and includes the surrounding text.
  • The output always shows certificates offered by a directory server between the BEGIN CERTIFICATE and END CERTIFICATE statements. A directory may offer more than one certificate, but only the first certificate is important to the SSL or TLS configuration
  • Immediately following the END CERTIFICATE statement are two lines describing the issuer and the subject.
    • The issuer is the identity of the certificate used to sign the certificate.
    • The subject is the identity of the certificate:
      /C=US/CN=dlopldap.td.teradata.com/emailAddress=dl160010@teradata.com

      The CN attribute containing the value dlopldap.td.teradata.com identifies the verified certificate.

    • When the issuer and subject of a certificate are the same, as in this example, the certificate is self-signed.
  • The list of certificates offered by the directory server is called the certificate chain.