IBM Cloud Docs
Validating the certificates

Validating the certificates

You can validate the certificates that you download for contract encryption and attestation.

Downloading the certificates

Download the following certificates:

  • Get the DigiCert certificates. The DigiCert Trusted Root G4 certificate can be downloaded here, and the Digicert G4 intermediate certificate can be downloaded here.

  • Get the IBM intermediate certificate. The following table lists the expiry dates for the intermediate certificates based on the version of the image.

    Intermediate certificate expiry dates
    Image version Certificate link Expiry date
    ibm-hyper-protect-container-runtime-1-0-s390x-19 certificate 01 September 2026
    ibm-hyper-protect-container-runtime-1-0-s390x-18 certificate 03 June 2026
    ibm-hyper-protect-container-runtime-1-0-s390x-17 certificate 03 June 2026
    ibm-hyper-protect-container-runtime-1-0-s390x-16 certificate 03 June 2026
    ibm-hyper-protect-container-runtime-1-0-s390x-15 certificate 02 October 2025
    ibm-hyper-protect-container-runtime-1-0-s390x-14 certificate 02 October 2025
    ibm-hyper-protect-container-runtime-1-0-s390x-13 certificate 02 November 2024

  • Ensure to use the certificates corresponding to the hyper protect container runtime image for contract encryption and attestation.

Validating the contract encryption certificate

Complete the following steps on an Ubuntu system to validate the encryption certificate:

  1. Use the following command to verify the CA certificate:
    openssl verify -crl_download -crl_check DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem
  2. Use the following command to verify the signing key certificate:
    openssl verify -crl_download -crl_check -untrusted DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem ibm-hyper-protect-container-runtime-1-0-s390x-19-intermediate.crt
  3. Complete the following steps to verify the signature of the attestation certificate document:
    1. Extract the public signing key into a file. In the following example, the file is called pubkey.pem:
      openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-19-intermediate.crt -pubkey -noout >  pubkey.pem
    2. Extract the encryption key signature from the encryption certificate document. The following command returns the offset value of the signature:
      openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-19-encrypt.crt | tail -1 | cut -d : -f 1
      Consider that the output of the command is <offset_value>. Use this <offset_value> to extract the encryption key signature into a file called signature:
      openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-19-encrypt.crt -out signature -strparse <offset_value> -noout
    3. Extract the body of the encryption certificate document into a file called body.
      openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-19-encrypt.crt -out body -strparse 4 -noout
    4. Verify the signature by using the signature and body files:
      openssl sha512 -verify pubkey.pem -signature signature body
  4. Verify the host key document issuer. Compare the output of the following two commands. The output should match.
    openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-19-encrypt.crt  -issuer -noout
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-19-intermediate.crt -subject -noout
  5. Verify that the encryption certificate document is still valid by checking the output of the following command:
    openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-19-encrypt.crt -dates -noout

Validating the attestation certificate

Complete the following steps on an Ubuntu system to validate the attestation certificate:

  1. Use the following command to verify the CA certificate:
    openssl verify -crl_download -crl_check DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem
  2. Use the following command to verify the signing key certificate:
    openssl verify -crl_download -crl_check -untrusted DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem ibm-hyper-protect-container-runtime-1-0-s390x-19-intermediate.crt
  3. Complete the following steps to verify the signature of the encrypted certificate document:
    1. Extract the public signing key into a file. In the following example, the file is called pubkey.pem:
      openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-19-intermediate.crt -pubkey -noout >  pubkey.pem
    2. Extract the attestation key signature from the attestation certificate document. The following command returns the offset value of the signature:
      openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-19-attestation.crt | tail -1 | cut -d : -f 1
      Consider that the output of the command is <offset_value>. Use this <offset_value> to extract the attestation key signature into a file called signature:
      openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-19-attestation.crt -out signature -strparse <offset_value> -noout
    3. Extract the body of the attestation certificate document into a file called body.
      openssl asn1parse -in ibm-hyper-protect-container-runtime-1-0-s390x-19-attestation.crt -out body -strparse 4 -noout
    4. Verify the signature by using the signature and body files:
      openssl sha512 -verify pubkey.pem -signature signature body
  4. Verify the host key document issuer. Compare the output of the following two commands. The output should match.
    openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-19-attestation.crt -issuer -noout
openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-19-intermediate.crt -subject -noout
  5. Verify that the attestation certificate document is still valid by checking the output of the following command:
    openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-19-attestation.crt -dates -noout

Certificate revocation list

The certificates contain Certificate Revocation List (CRL) Distribution Points. You can use the CRL to verify that your certificates are valid (not revoked).

  1. Extract and download the CRL URL from the attestation or encryption certificate:

    openssl x509 -in "ibm-hyper-protect-container-runtime-1-0-s390x-19-encrypt.crt" -noout -ext crlDistributionPoints
crl_url= https://ibm.biz/hyper-protect-container-runtime-0b8907-crl-1 # (example)
curl --location --silent "$crl_url" --output "ibm-hyper-protect-container-runtime.crl"

  2. Verify that the CRL is valid (check valid dates and issuer):

    openssl crl -text -noout -in "ibm-hyper-protect-container-runtime.crl"

  3. Verify the CRL signature:

    openssl x509 -in "ibm-hyper-protect-container-runtime-1-0-s390x-19-intermediate.crt" -pubkey -noout -out pubkey
bbegin="$(openssl asn1parse -in "ibm-hyper-protect-container-runtime.crl" | head -2 | tail -1 | cut -d : -f 1)"
bend="$(openssl asn1parse -in "ibm-hyper-protect-container-runtime.crl" | tail -1 | cut -d : -f 1)"
openssl asn1parse -in "ibm-hyper-protect-container-runtime.crl" -out signature -strparse $bend -noout
openssl asn1parse -in "ibm-hyper-protect-container-runtime.crl" -out body -strparse $bbegin -noout
openssl sha512 -verify pubkey -signature signature body

  4. Verify that the encryption certificate document is valid:

    1. Extract the serial from the encryption certificate:
      openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-19-encrypt.crt -noout -serial
serial=88125A532B65A22C60E7763384253C86 # (example)
    2. Export the value of 'serial' by running the following command:
      export serial=88125A532B65A22C60E7763384253C86
      You can verify if the value is set by running the following command:
      echo $serial
    3. Verify that the certificate is not listed within the CRL:
      openssl crl -text -noout -in "ibm-hyper-protect-container-runtime.crl" | grep -q "$serial" && echo REVOKED || echo OK

    A revoked encryption certificate document must not be used for further encryptions.

  5. Verify that the attestation certificate document is valid:

    1. Extract the serial from the attestation certificate:
      openssl x509 -in ibm-hyper-protect-container-runtime-1-0-s390x-19-attestation.crt -noout -serial
serial=56EE5C4CFFEBBFDBCC9026B78DCC76CE  # (example)
    2. Export the value of 'serial' by running the following command:
      export serial=56EE5C4CFFEBBFDBCC9026B78DCC76CE
      You can verify if the value is set by running the following command:
      echo $serial
    3. Verify that the certificate is not listed within the CRL:
      openssl crl -text -noout -in "ibm-hyper-protect-container-runtime.crl" | grep -q "$serial" && echo REVOKED || echo OK

    An image with a revoked attestation certificate document must not be started.