Test your certificate chain using s_server and s_client
To test your quantum-safe hybrid certificate chain, use OpenSSL's s_server and s_client utilities. To use both utilities simultaneously, open two terminal sessions: one for the server and one for the client.
Add the CN value of the server certificate to your hosts file.
echo "$(hostname -I) digicert.pqc" | sudo tee -a /etc/hosts
Next, make sure you're in the /app/digicert-pqc/certs directory.
cd /app/digicert-pqc/certs
In one of your open terminals, start the server.
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl s_server -engine IQREngine -cert dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem -certform PEM -key dilithium_catalyst_mixed_chain_intermediate_private_key.pem -keyform PEM -debug -tls1_2
You should see this output:
engine "IQREngine" set. Using default temp DH parameters ACCEPT
Switch to the second terminal window. Make sure you're in the /app/digicert-pqc/certs directory.
cd /app/digicert-pqc/certs
Use the
s_clientutility to connect to the running server./app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl s_client -engine IQREngine -CAfile xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem -showcerts -tls1_2 -cipher 'ECDHE-NHDH-DILM-AES256-GCM-SHA384'
If everything is configured properly, in the terminal window running the
s_clientutility, you should see this output:engine "IQREngine" set. CONNECTED(00000003) depth=1 C = US, ST = Utah, L = Lehi, O = "DigiCert, Inc.", OU = DigiCert PQC, CN = DigiCert PQC Root verify return:1 depth=0 C = US, ST = Utah, L = Lehi, O = "DigiCert, Inc.", OU = DigiCert PQC, CN = DigiCert PQC Test Intermediate CA verify return:1 --- Certificate chain 0 s:/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Test Intermediate CA i:/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Root -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Test Intermediate CA issuer=/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Root --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 9868 bytes and written 2331 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-NHDH-DILM-AES256-GCM-SHA384 Server public key is 521 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-NHDH-DILM-AES256-GCM-SHA384 Session-ID: {{Session-ID}} Session-ID-ctx: Master-Key: {{Master-Key}} Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: [...] Start Time: 1563994600 Timeout : 7200 (sec) Verify return code: 0 (ok) ---In the terminal window running the s_server utility, you should see this output:
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5)) 0000 - 16 03 01 00 96 ..... read from 0x5581e0750b80 [0x5581e07656f8] (150 bytes => 150 (0x96)) 0000 - 01 00 00 92 03 03 d9 c0-5a 73 35 d0 4e f2 31 f6 ........Zs5.N.1. [...] write to 0x5581e0750b80 [0x5581e076e100] (71 bytes => 71 (0x47)) 0000 - 16 03 03 00 42 02 00 00-3e 03 03 c2 3b df 2f 01 ....B...>...;./. [...] write to 0x5581e0750b80 [0x5581e0769c43] (4953 bytes => 4953 (0x1359)) 0000 - 16 03 03 13 54 0b 00 13-50 00 13 4d 00 13 4a 30 ....T...P..M..J0 [...] write to 0x5581e0750b80 [0x5581e0769c43] (4609 bytes => 4609 (0x1201)) 0000 - 16 03 03 11 fc 0c 00 11-f8 03 00 17 41 04 0d 97 ............A... [...] write to 0x5581e0750b80 [0x5581e076e100] (9 bytes => 9 (0x9)) 0000 - 16 03 03 00 04 0e 00 00-00 ......... read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5)) 0000 - 16 03 03 08 48 ....H read from 0x5581e0750b80 [0x5581e07656f8] (2120 bytes => 2120 (0x848)) 0000 - 10 00 08 44 41 04 29 0a-07 84 0c f3 a4 e4 3e d1 ...DA.).......>. [...] read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5)) 0000 - 14 03 03 00 01 ..... read from 0x5581e0750b80 [0x5581e07656f8] (1 bytes => 1 (0x1)) 0000 - 01 . read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5)) 0000 - 16 03 03 00 28 ....( read from 0x5581e0750b80 [0x5581e07656f8] (40 bytes => 40 (0x28)) 0000 - e1 d7 30 8b 12 ef d1 dc-31 90 97 d0 0e 54 9c aa ..0.....1....T.. [...] write to 0x5581e0750b80 [0x5581e076e100] (175 bytes => 175 (0xAF)) 0000 - 16 03 03 00 aa 04 00 00-a6 00 00 1c 20 00 a0 02 ............ ... [...] write to 0x5581e0750b80 [0x5581e076e100] (6 bytes => 6 (0x6)) 0000 - 14 03 03 00 01 01 ...... write to 0x5581e0750b80 [0x5581e076e100] (45 bytes => 45 (0x2D)) 0000 - 16 03 03 00 28 d0 99 97-94 6d a1 5c f8 b0 c0 65 ....(....m.\...e [...] -----BEGIN SSL SESSION PARAMETERS----- [...] -----END SSL SESSION PARAMETERS----- Shared ciphers:ECDHE-NHDH-DILM-AES256-GCM-SHA384:ECDHE-NHDH-SIDH-DILM-AES256-GCM-SHA384 Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:HSS+SHA512:XMSS+SHA512:XMSSmt+SHA512:DILITHIUM+SHA512:DILITHIUM+SHA512:0xE0+SHA512 Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:HSS+SHA512:DILITHIUM+SHA512:DILITHIUM+SHA512 Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2 Supported Elliptic Curves: P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283:0xFE01 Shared Elliptic curves: P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283:UNDEF CIPHER is ECDHE-NHDH-DILM-AES256-GCM-SHA384 Secure Renegotiation IS supported
You've successfully created a quantum-safe hybrid certificate chain with DigiCert's PQC toolkit and the ISARA Catalyst OpenSSL Connector engine.