Validating the certificates

Before you begin

Edit online

Install OpenSSL for encryption. This tutorial uses version OpenSSL 1.1.1w [11 Sep 2023].

Downloading the certificates

Edit online

Download the following certificates:

Get the DigiCert certificates. The DigiCert Trusted Root G4 certificate can be downloaded from here, and the Digicert G4 intermediate certificate can be downloaded from here.
Get the IBM intermediate, attestation, and encryption certificates from the image TAR file at the following location: IBM_CCC_RHOCP_v1.2.1_EN/config/certs/v1.2.1.
Important: The attestation certificate location varies by deployment type: use baremetal/ibm-confidential-computing-container-attestation.crt for Bare Metal deployments or peerpod/ibm-confidential-computing-container-attestation.crt for Peerpod deployments.

Validating the contract encryption certificate

Edit online

Complete the following steps on an Ubuntu system to validate the encryption certificate:

Verify the CA certificate by running the following command:

openssl verify -crl_download -crl_check DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem

Verify the signing key certificate by running the following command:

openssl verify -crl_download -crl_check -untrusted DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem ibm-confidential-computing-container-intermediate.crt

If the OpenSSL command fails to execute, download the CRL and verify certificate manually using below command:

openssl verify -untrusted DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem -CRLfile DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl ibm-confidential-computing-container-intermediate.crt

Complete the following steps to verify the signature of the encrypted certificate document:
1. Extract the public signing key into a file. In the following example, the file is called pubkey.pem:
```
openssl x509 -in ibm-confidential-computing-container-intermediate.crt -pubkey -noout >  pubkey.pem
 
```
2. Extract the encryption key signature from the encryption certificate document. The following command returns the offset value of the signature:
```
openssl asn1parse -in ibm-confidential-computing-container-encrypt.crt | tail -1 | cut -d : -f 1
 
```
3. Consider that the output of the command is <offset_value>. Use this <offset_value> to extract the encryption key signature into a file called signature:
```
openssl asn1parse -in ibm-confidential-computing-container-encrypt.crt -out signature -strparse <offset_value> -noout
 
```
4. Extract the body of the encryption certificate document into a file called body.
```
openssl asn1parse -in ibm-confidential-computing-container-encrypt.crt -out body -strparse 4 -noout
 
```
5. Verify the signature by using the signature and body files:
```
openssl sha512 -verify pubkey.pem -signature signature body
 
```
Verify that the encryption certificate document is still valid by checking the output of the following command:
```
openssl x509 -in ibm-confidential-computing-container-encrypt.crt -dates -noout
 
```

Validating the attestation certificate

Edit online

Complete the following steps on an Ubuntu system to validate the attestation certificate:

Verify the CA certificate by running the following command:

openssl verify -crl_download -crl_check DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem

Verify the signing key certificate by running the following command:

openssl verify -crl_download -crl_check -untrusted DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem ibm-confidential-computing-container-intermediate.crt

If the OpenSSL command fails to execute, download the CRL and verify certificate manually using below command:

openssl verify -untrusted DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem -CRLfile DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl ibm-confidential-computing-container-intermediate.crt

Complete the following steps to verify the signature of the encrypted certificate document:
1. Extract the public signing key into a file. In the following example, the file is called pubkey.pem:
```
openssl x509 -in ibm-confidential-computing-container-intermediate.crt -pubkey -noout >  pubkey.pem
 
```
2. Extract the attestation key signature from the attestation certificate document. The following command returns the offset value of the signature:
```
openssl asn1parse -in ibm-confidential-computing-container-attestation.crt | tail -1 | cut -d : -f 1
 
```
3. Consider that the output of the command is <offset_value>. Use this <offset_value> to extract the attestation key signature into a file called signature:
```
openssl asn1parse -in ibm-confidential-computing-container-attestation.crt -out signature -strparse <offset_value> -noout
 
```
4. Extract the body of the attestation certificate document into a file called body.
```
openssl asn1parse -in ibm-confidential-computing-container-attestation.crt -out body -strparse 4 -noout
 
```
5. Verify the signature by using the signature and body files:
```
openssl sha512 -verify pubkey.pem -signature signature body
 
```
Verify that the attestation certificate document is still valid by checking the output of the following command:
```
openssl x509 -in ibm-confidential-computing-container-attestation.crt -dates -noout
 
```

Certificate revocation list

Edit online

The certificates contain Certificate Revocation List (CRL) Distribution Points. You can use the CRL to verify that your certificates are valid (not revoked).

Extract and download the CRL URL from the attestation or encryption certificate:

openssl x509 -in "ibm-confidential-computing-container-encrypt.crt" -noout -ext crlDistributionPoints
crl_url=https://ibm.biz/confidential-computing-container-0b8907-crl-1  # (example)
curl --location --silent "$crl_url" --output "ibm-confidential-computing-container.crl"

Verify that the CRL is valid (check valid dates and issuer):

openssl crl -text -noout -in "ibm-confidential-computing-container.crl"

Verify the CRL signature:

openssl x509 -in "ibm-confidential-computing-container-intermediate.crt" -pubkey -noout -out pubkey
bbegin="$(openssl asn1parse -in "ibm-confidential-computing-container.crl" | head -2 | tail -1 | cut -d : -f 1)"
bend="$(openssl asn1parse -in "ibm-confidential-computing-container.crl" | tail -1 | cut -d : -f 1)"
openssl asn1parse -in "ibm-confidential-computing-container.crl" -out signature -strparse $bend -noout
openssl asn1parse -in "ibm-confidential-computing-container.crl" -out body -strparse $bbegin -noout
openssl sha512 -verify pubkey -signature signature body

Verify that the encryption certificate document is valid:
1. Extract the serial from the encryption certificate:
```
openssl x509 -in ibm-confidential-computing-container-encrypt.crt -noout -serial
serial=C66CF6A4A9D72F515FFCB3D2AC052142 # (example)
 
```
2. Export the value of 'serial' according to the following example:
```
export serial=C66CF6A4A9D72F515FFCB3D2AC052142
 
```
  You can verify if the value is set by running the following command:
```
echo $serial
 
```
3. Verify that the certificate is not listed within the CRL:
```
openssl crl -text -noout -in "ibm-confidential-computing-container.crl" | grep -q "$serial" && echo REVOKED || echo OK
 
```
A revoked encryption certificate document must not be used for further encryptions.
Verify that the attestation certificate document is valid:
1. Extract the serial from the attestation certificate:
```
openssl x509 -in ibm-confidential-computing-container-attestation.crt -noout -serial
serial=1672FF3B5328F7BB732122D4AF0C4126  # (example)
 
```
2. Export the value of 'serial' according to the following example:
```
export serial=1672FF3B5328F7BB732122D4AF0C4126
 
```
  You can verify if the value of serial is set by running the following command:
```
echo $serial
 
```
3. Verify that the certificate is not listed within the CRL:
```
openssl crl -text -noout -in "ibm-confidential-computing-container.crl" | grep -q "$serial" && echo REVOKED || echo OK
 
```
An image with a revoked attestation certificate document must not be started.