使用链式 CA 和链式证书进行 Openssl 验证 [英] Openssl verify with chained CA and chained Cert
问题描述
我有一个证书链:<代码>根 CA ->中间 CA ->组织 CA ->客户端证书
当我使用 CA 作为 root CA 验证客户端证书时 ->中间 CA ->org CA,它的工作原理:
When I verify the client cert with CA as root CA -> intermediate CA -> org CA, it works:
$ cat org_1_ca/ca_crt.pem middle_ca/ca_crt.pem root_ca/ca_crt.pem >/tmp/test123.pem$ openssl verify -CAfile/tmp/test123.pem client/client_crt.pemclient_crt.pem:好的
但是当我将我的客户端证书与组织 CA(org CA -> 客户端证书)链接起来,并将链的其余部分作为 CA(root CA -> 中间 CA),它不会:
But when I chained my client cert with org CA (org CA -> client Cert), and have the rest of the chain as CA (root CA -> intermediate CA), it doesn't:
$ cat middle_ca/ca_crt.pem root_ca/ca_crt.pem >/tmp/test12.pem$ openssl verify -CAfile/tmp/test12.pem client/org1_client_crt.pemclient/org1_client_crt.pem: C = US, ST = CA, L = LA, O = PP, OU = TEST, CN = 用户0 深度查找时出现错误 20:无法获得本地颁发者证书
这是根本错误还是openssl verify 不喜欢那样?我用 nginx 和 openssl connect 尝试了同样的事情,但那里没有运气.任何帮助表示赞赏.
Is this something that fundamentally wrong or openssl verify doesn't like that? I tried the same thing with nginx and and openssl connect and there was no luck there. Any help is appreciated.
推荐答案
openssl 命令行 verify 操作 只读取一个证书,第一个一个,来自作为操作数给出的文件,或者如果给出多个文件,则来自每个文件.这与使用 -CAfile -trusted -untrusted 选项指定的文件不同,后者可以(并且通常确实)包含多个证书.
The openssl commandline verify operation reads only one certificate, the first one, from the file given as operand, or from each file if more than one is given. This differs from the files specified with the -CAfile -trusted -untrusted options which can (and typically do) contain multiple certs.
您的文件 client/org1_client_crt.pem 可能按顺序包含客户端证书和组织 CA"证书.仅使用客户端证书,忽略org CA"证书,因此您没有可验证的有效链.
Your file client/org1_client_crt.pem presumably contains the client cert and the 'org CA' cert, in that order. Only the client cert is used, the 'org CA' cert is ignored, and as a result you do not have a valid chain to verify.
如果您想使用命令行来模拟/测试接收器(对于客户端证书,服务器)将执行的验证,请提供叶证书作为操作数和所有其他传输的(链)证书,并带有 -不受信任的,以及信任库中的锚点以及任何已知"中间体,无论是显式的还是默认的.
If you want to use commandline to mimic/test the validation that a receiver (for a client cert, the server) would do, supply the leaf cert as the operand and all other transmitted (chain) certs with -untrusted, and the anchor(s) plus any 'known' intermediates in the truststore either explicit or defaulted.
没有openssl connect操作;我假设您的意思是 openssl s_client 带有包括 -connect 在内的选项,因为这是使用客户端证书链有意义的地方.s_client 的 -cert 选项同样仅使用文件中的第一个证书.除了最新版本 1.1.0 之外,命令行上没有选项可以指定客户端链,即使在那里也没有记录,因此您必须仔细阅读帮助消息或代码,尽管 API/库已经很长时间了支持您自己编写的代码.
There is no openssl connect operation; I assume you mean openssl s_client with options including -connect since that's one place it would make sense to use a client cert chain. The -cert option to s_client similarly uses only the first cert in the file. There is no option on commandline to specify the client chain except in the most recent version, 1.1.0, and even there it isn't documented so you have to read the help message carefully or the code, although the API/library has long supported this for code you write yourself.
通过 1.0.2,如果您想将带有完整链的客户端证书发送到服务器(根据 RFC,您应该这样做),假设服务器请求客户端身份验证,这不常见且不是 nginx(以及其他)的默认设置,你必须使用一个技巧:在 truststore 中提供客户端链所需的所有证书,除了验证服务器所需的锚点,或者显式使用 -CAfile 和/或 -CApath,或使用(根据需要修改)默认信任库,除非您的 openssl 是较旧的非 RedHat默认信任库仅在 s_client s_server s_time 中不起作用的版本.
Through 1.0.2 if you want to send a client cert with full chain to the server (as you should per the RFCs), assuming the server requests client authentication which is not usual and not the default for nginx (among others), you have to use a trick: supply all the certs needed for the client chain in the truststore, in addition to the anchor(s) needed to verify the server, either using -CAfile and/or -CApath explicitly, or using (modifying if needed) the default truststore unless your openssl is an older non-RedHat version where the default truststore didn't work in s_client s_server s_time only.
s_server 中的服务器证书/链也是如此,除了它几乎总是使用而不是很少使用.
And the same is true about the server cert/chain in s_server except that it is used almost always instead of very rarely.
这篇关于使用链式 CA 和链式证书进行 Openssl 验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
