我可以将多个证书合并成一个没有私钥的证书吗? [英] Can I combine multiple certs into one without the private key?

问题描述

我需要在许多设备上拥有最新的证书信任存储，因此我希望能够将它们组合到证书中，然后我就可以推送该文件.我只想捆绑许多CA的公钥，但我不想添加私有文件，因为我想要一个推送到所有设备的证书.我当时以为这个功能叫做链，但是如果没有私有文件，openssl不会接受该命令.能做到吗?我尝试了几种不同的方法，并且在这里查看了许多线程，但是我不知道自己在做什么.

I need to have up to date cert trust stores in many devices, so I would like to be able to combine them into on cert that I can then just push that one file. I only want to bundle the public keys of the many CA's but I do not want to add the private file because I want a cert that I push to all of my devices. I was thinking that this feature was called a chain but openssl will not take the command without a private file. Can this be done? I have tried several different things and I have looked at many threads here but I don't know what I am doing.

我尝试使用的命令是:

openssl -export -pkcs12 -out output.pem -cafile intermediate.pem

编辑

我尝试了"openssl crl2pkcs7 -certfile bundle.pem -out p7.pem"，但是它产生了一个错误:

Edit

I tried "openssl crl2pkcs7 -certfile bundle.pem -out p7.pem" but it produced an error:

openssl crl2pkcs7 -certfile bundle.pem -out p7.pem
unable to load CRL
9460:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:701:Expecting: X509 CRL

我也尝试过:

openssl pkcs7 -in bundle.pem -out p7.pem
unable to load PKCS7 object
3676:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1201:
3676:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:.\crypto\asn1\tasn_dec.c:765:
3676:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:697:Field=type, Type=PKCS7
3676:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:.\crypto\pem\pem_oth.c:83:

推荐答案

如果您已经拥有证书，则可以简单地将它们串联起来:

If you already have the certificates, you could simply concatenate them:

cat cert1.pem cert2.pem > bundle.pem

但是，它实际上取决于每个信任库所期望的格式.因此，例如，公共密钥密码标准描述了几种可用于分发证书，密钥的标准其中之一是PKCS#7，它通常用于捆绑没有私钥的一组证书.您可能需要查看每个设备如何实现信任库，因为它们都可能期望使用不同的格式.

However, it really depends on the format which each trust store expects. So for instance, the Public Key Cryptography Standards describes several standards which could be used to distribute certificates, keys etc. One of them is PKCS#7, which is often used to bundle a set of certificates without the private key. You need to probably look at how each device implements the trust store because they may all expect different formats.

这篇关于我可以将多个证书合并成一个没有私钥的证书吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！