Validating the certificates

You can validate the certificates that you download for contract encryption and attestation.

Downloading the certificates

Download the following certificates:

Get the DigiCert certificates. The DigiCert Trusted Root G4 certificate can be downloaded here, and the Digicert G4 intermediate certificate can be downloaded here.

Get the IBM intermediate certificate. The following table lists the expiry dates for the intermediate certificates based on the version of the image.

Table 1. Intermediate certificate expiry dates
Image version	Certificate link	Expiry date
`ibm-hyper-protect-container-runtime-1-0-s390x-15`	certificate	02 October 2025
`ibm-hyper-protect-container-runtime-1-0-s390x-14`	certificate	02 October 2025

Validating the contract encryption certificate

Complete the following steps on an Ubuntu system to validate the encryption certificate:

Use the following command to verify the CA certificate:

openssl verify -crl_download -crl_check DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem

Use the following command to verify the signing key certificate:

openssl verify -crl_download -crl_check -untrusted DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem ibm-hyper-protect-container-runtime-1-0-s390x-15-intermediate.crt

Complete the following steps to verify the signature of the encrypted certificate document:
1. Extract the public signing key into a file. In the following example, the file is called pubkey.pem:
```
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-15-intermediate.crt -pubkey -noout >  pubkey.pem
```
2. Extract the encryption key signature from the encryption certificate document. The following command returns the offset value of the signature:
```
openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-15-encrypt.crt | tail -1 | cut -d : -f 1
```
  Consider that the output of the command is <offset_value>. Use this <offset_value> to extract the encryption key signature into a file called signature:
```
openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-15-encrypt.crt -out signature -strparse <offset_value> -noout
```
3. Extract the body of the encryption certificate document into a file called body.
```
openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-15-encrypt.crt -out body -strparse 4 -noout
```
4. Verify the signature by using the signature and body files:
```
openssl sha512 -verify pubkey.pem -signature signature body
```

Verify the host key document issuer. Compare the output of the following two commands. The output should match.

openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-15-encrypt.crt  -issuer -noout
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-15-intermediate.crt -subject -noout

Verify that the encryption certificate document is still valid by checking the output of the following command:
```
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-15-encrypt.crt -dates -noout
```

Validating the attestation certificate

Complete the following steps on an Ubuntu system to validate the attestation certificate:

Use the following command to verify the CA certificate:

openssl verify -crl_download -crl_check DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem

Use the following command to verify the signing key certificate:

openssl verify -crl_download -crl_check -untrusted DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem ibm-hyper-protect-container-runtime-1-0-s390x-15-intermediate.crt

Complete the following steps to verify the signature of the encrypted certificate document:
1. Extract the public signing key into a file. In the following example, the file is called pubkey.pem:
```
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-15-intermediate.crt -pubkey -noout >  pubkey.pem
```
2. Extract the attestation key signature from the attestation certificate document. The following command returns the offset value of the signature:
```
openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-15-attestation.crt | tail -1 | cut -d : -f 1
```
  Consider that the output of the command is <offset_value>. Use this <offset_value> to extract the attestation key signature into a file called signature:
```
openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-15-attestation.crt -out signature -strparse <offset_value> -noout
```
3. Extract the body of the attestation certificate document into a file called body.
```
openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-15-attestation.crt -out body -strparse 4 -noout
```
4. Verify the signature by using the signature and body files:
```
openssl sha512 -verify pubkey.pem -signature signature body
```

Verify the host key document issuer. Compare the output of the following two commands. The output should match.

openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-15-attestation.crt -issuer -noout
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-15-intermediate.crt -subject -noout

Verify that the attestation certificate document is still valid by checking the output of the following command:
```
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-15-attestation.crt -dates -noout
```

Certificate revocation list

The certificates contain Certificate Revocation List (CRL) Distribution Points. You can use the CRL to verify that your certificates are valid (not revoked).

Extract and download the CRL URL from the attestation or encryption certificate:

openssl x509 -in "ibm-hyper-protect-container-runtime-1-0-s390x-15-encrypt.crt" -noout -ext crlDistributionPoints
crl_url=https://ibm.biz/hyper-protect-container-runtime-023BC9-crl-1  # (example)
curl --location --silent "$crl_url" --output "ibm-hyper-protect-container-runtime.crl"

Verify that the CRL is valid (check valid dates and issuer):

openssl crl -text -noout -in "ibm-hyper-protect-container-runtime.crl"

Verify the CRL signature:

openssl x509 -in "ibm-hyper-protect-container-runtime-1-0-s390x-15-intermediate.crt" -pubkey -noout -out pubkey
bbegin="$(openssl asn1parse -in "ibm-hyper-protect-container-runtime.crl" | head -2 | tail -1 | cut -d : -f 1)"
bend="$(openssl asn1parse -in "ibm-hyper-protect-container-runtime.crl" | tail -1 | cut -d : -f 1)"
openssl asn1parse -in "ibm-hyper-protect-container-runtime.crl" -out signature -strparse $bend -noout
openssl asn1parse -in "ibm-hyper-protect-container-runtime.crl" -out body -strparse $bbegin -noout
openssl sha512 -verify pubkey -signature signature body

Verify that the encryption certificate document is valid:
1. Extract the serial from the encryption certificate:
```
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-15-encrypt.crt -noout -serial
serial=16B7C7F9B61548506F4E63BA6FD40045  # (example)
```
2. Export the value of 'serial' by running the following command:
```
export serial=16B7C7F9B61548506F4E63BA6FD40045
```
  You can verify if the value is set by running the following command:
```
echo $serial
```
3. Verify that the certificate is not listed within the CRL:
```
openssl crl -text -noout -in "ibm-hyper-protect-container-runtime.crl" | grep -q "$serial" && echo REVOKED || echo OK
```
A revoked encryption certificate document must not be used for further encryptions.
Verify that the attestation certificate document is valid:
1. Extract the serial from the attestation certificate:
```
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-15-attestation.crt -noout -serial
serial=65BFC9AD7C3C269E41517E7FC26B0E3C  # (example)
```
2. Export the value of 'serial' by running the following command:
```
export serial=65BFC9AD7C3C269E41517E7FC26B0E3C
```
  You can verify if the value is set by running the following command:
```
echo $serial
```
3. Verify that the certificate is not listed within the CRL:
```
openssl crl -text -noout -in "ibm-hyper-protect-container-runtime.crl" | grep -q "$serial" && echo REVOKED || echo OK
```
An image with a revoked attestation certificate document must not be started.