copyright

lastupdated

keywords

subcollection

years
2022, 2024

2024-12-13

confidential computing, secure execution, hpcr, contract, customization, env, workload, encryption, attestation, validating

vpc

Validating the certificates

{: #cert_validate}

You can validate the certificates that you download for contract encryption and attestation. {: shortdesc}

Downloading the certificates

{: #download_cert}

Download the following certificates:

Get the DigiCert certificates. The DigiCert Trusted Root G4 certificate can be downloaded here{: external}, and the Digicert G4 intermediate certificate can be downloaded here{: external}.

Get the IBM intermediate certificate. The following table lists the expiry dates for the intermediate certificates based on the version of the image.

Image version	Certificate link	Expiry date
`ibm-hyper-protect-container-runtime-1-0-s390x-20`	certificate{: external}	01 September 2026
`ibm-hyper-protect-container-runtime-1-0-s390x-19`	certificate{: external}	01 September 2026
`ibm-hyper-protect-container-runtime-1-0-s390x-18`	certificate{: external}	03 June 2026
`ibm-hyper-protect-container-runtime-1-0-s390x-17`	certificate{: external}	03 June 2026
`ibm-hyper-protect-container-runtime-1-0-s390x-16`	certificate{: external}	03 June 2026
`ibm-hyper-protect-container-runtime-1-0-s390x-15`	certificate{: external}	02 October 2025
`ibm-hyper-protect-container-runtime-1-0-s390x-14`	certificate{: external}	02 October 2025
`ibm-hyper-protect-container-runtime-1-0-s390x-13`	certificate{: external}	02 October 2025
{: caption="Intermediate certificate expiry dates" caption-side="bottom"}

Ensure to use the certificates corresponding to the hyper protect container runtime image for contract encryption and attestation.

Validating the contract encryption certificate

{: #validate_encrypt_cert}

Complete the following steps on an Ubuntu system to validate the encryption certificate:

Use the following command to verify the CA certificate:

openssl verify -crl_download -crl_check DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem

{: pre}

Use the following command to verify the signing key certificate:

openssl verify -crl_download -crl_check -untrusted DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem ibm-hyper-protect-container-runtime-1-0-s390x-20-intermediate.crt

{: pre}

Complete the following steps to verify the signature of the attestation certificate document:
1. Extract the public signing key into a file. In the following example, the file is called pubkey.pem:
```
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-20-intermediate.crt -pubkey -noout >  pubkey.pem
```
  {: pre}
2. Extract the encryption key signature from the encryption certificate document. The following command returns the offset value of the signature:
```
openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-20-encrypt.crt | tail -1 | cut -d : -f 1
```
  {: pre}
  
  Consider that the output of the command is <offset_value>. Use this <offset_value> to extract the encryption key signature into a file called signature:
```
openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-20-encrypt.crt -out signature -strparse <offset_value> -noout
```
  {: pre}
3. Extract the body of the encryption certificate document into a file called body.
```
openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-20-encrypt.crt -out body -strparse 4 -noout
```
  {: pre}
4. Verify the signature by using the signature and body files:
```
openssl sha512 -verify pubkey.pem -signature signature body
```
  {: pre}

Verify the certificates issuer. Compare the output of the following two commands. The output should match.

openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-20-encrypt.crt  -issuer -noout
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-20-intermediate.crt -subject -noout

{: pre}

Verify that the encryption certificate document is still valid by checking the output of the following command:
```
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-20-encrypt.crt -dates -noout
```
{: pre}

Validating the attestation certificate

{: #validate_attest_cert}

Complete the following steps on an Ubuntu system to validate the attestation certificate:

Use the following command to verify the CA certificate:

openssl verify -crl_download -crl_check DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem

{: pre}

Use the following command to verify the signing key certificate:

openssl verify -crl_download -crl_check -untrusted DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem ibm-hyper-protect-container-runtime-1-0-s390x-20-intermediate.crt

{: pre}

Complete the following steps to verify the signature of the encrypted certificate document:
1. Extract the public signing key into a file. In the following example, the file is called pubkey.pem:
```
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-20-intermediate.crt -pubkey -noout >  pubkey.pem
```
  {: pre}
2. Extract the attestation key signature from the attestation certificate document. The following command returns the offset value of the signature:
```
openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-20-attestation.crt | tail -1 | cut -d : -f 1
```
  {: pre}
  
  Consider that the output of the command is <offset_value>. Use this <offset_value> to extract the attestation key signature into a file called signature:
```
openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-20-attestation.crt -out signature -strparse <offset_value> -noout
```
  {: pre}
3. Extract the body of the attestation certificate document into a file called body.
```
openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-20-attestation.crt -out body -strparse 4 -noout
```
  {: pre}
4. Verify the signature by using the signature and body files:
```
openssl sha512 -verify pubkey.pem -signature signature body
```
  {: pre}

Verify the certificates issuer. Compare the output of the following two commands. The output should match.

openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-20-attestation.crt -issuer -noout
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-20-intermediate.crt -subject -noout

{: pre}

Verify that the attestation certificate document is still valid by checking the output of the following command:
```
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-20-attestation.crt -dates -noout
```
{: pre}

Certificate revocation list

{: #certificate-revocation-list}

The certificates contain Certificate Revocation List (CRL) Distribution Points. You can use the CRL to verify that your certificates are valid (not revoked).

Extract and download the CRL URL from the attestation or encryption certificate:

openssl x509 -in "ibm-hyper-protect-container-runtime-1-0-s390x-20-encrypt.crt" -noout -ext crlDistributionPoints
crl_url= https://ibm.biz/hyper-protect-container-runtime-0b8907-crl-1 # (example)
curl --location --silent "$crl_url" --output "ibm-hyper-protect-container-runtime.crl"

{: pre}

Verify that the CRL is valid (check valid dates and issuer):

openssl crl -text -noout -in "ibm-hyper-protect-container-runtime.crl"

{: pre}

Verify the CRL signature:

openssl x509 -in "ibm-hyper-protect-container-runtime-1-0-s390x-20-intermediate.crt" -pubkey -noout -out pubkey
bbegin="$(openssl asn1parse -in "ibm-hyper-protect-container-runtime.crl" | head -2 | tail -1 | cut -d : -f 1)"
bend="$(openssl asn1parse -in "ibm-hyper-protect-container-runtime.crl" | tail -1 | cut -d : -f 1)"
openssl asn1parse -in "ibm-hyper-protect-container-runtime.crl" -out signature -strparse $bend -noout
openssl asn1parse -in "ibm-hyper-protect-container-runtime.crl" -out body -strparse $bbegin -noout
openssl sha512 -verify pubkey -signature signature body

{: codeblock}

Verify that the encryption certificate document is valid:
1. Extract the serial from the encryption certificate:
```
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-20-encrypt.crt -noout -serial
serial=C66CF6A4A9D72F515FFCB3D2AC052142 # (example)
```
  {: pre}
2. Export the value of 'serial' by running the following command:
```
export serial=C66CF6A4A9D72F515FFCB3D2AC052142 # (example)
```
  {: pre}
  
  You can verify if the value is set by running the following command:
```
echo $serial
```
  {: pre}
3. Verify that the certificate is not listed within the CRL:
```
openssl crl -text -noout -in "ibm-hyper-protect-container-runtime.crl" | grep -q "$serial" && echo REVOKED || echo OK
```
  {: pre}
A revoked encryption certificate document must not be used for further encryptions.
Verify that the attestation certificate document is valid:
1. Extract the serial from the attestation certificate:
```
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-20-attestation.crt -noout -serial
serial=4E00961583F1CCA04F9D02CF071E6D28  # (example)
```
  {: pre}
2. Export the value of 'serial' by running the following command:
```
export serial=4E00961583F1CCA04F9D02CF071E6D28  # (example)
```
  {: pre}
  
  You can verify if the value is set by running the following command:
```
echo $serial
```
  {: pre}
3. Verify that the certificate is not listed within the CRL:
```
openssl crl -text -noout -in "ibm-hyper-protect-container-runtime.crl" | grep -q "$serial" && echo REVOKED || echo OK
```
  {: pre}
An image with a revoked attestation certificate document must not be started.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

certificate_validate.md

certificate_validate.md

Validating the certificates

Downloading the certificates

Validating the contract encryption certificate

Validating the attestation certificate

Certificate revocation list

Files

certificate_validate.md

Latest commit

History

certificate_validate.md

File metadata and controls

Validating the certificates

Downloading the certificates

Validating the contract encryption certificate

Validating the attestation certificate

Certificate revocation list