使用openssl验证验证证书链 [英] Verify a certificate chain using openssl verify

问题描述

我正在建立含有以下组件的自己的证书链：

根证书 - 中级证书 - 用户证书

根证书是自签名证书，中间证书由根和用户由中间签名。

I'm building a own certificate chain with following componentens:
Root Certificate - Intermediate Certificate - User Certificate
Root Cert is a self signed certificate, Intermediate Certificate is signed by Root and User by Intermediate.

现在，我要验证用户证书是否有根证书。

Now I want to verify if a User Certificate has its anchor by Root Certificate.

使用

openssl verify -verbose -CAfile RootCert.pem Intermediate.pem

验证正确。在下一个步骤中，我使用

验证用户证书 openssl verify -verbose -CAfile Intermediate.pem UserCert.pem

验证显示错误20在0深度查找：无法获取本地颁发者证书

With
openssl verify -verbose -CAfile RootCert.pem Intermediate.pem
the validation is ok. In the next step I validate the User Cert with
openssl verify -verbose -CAfile Intermediate.pem UserCert.pem
and the validation shows error 20 at 0 depth lookup:unable to get local issuer certificate

有什么问题？

推荐答案

从验证文档：如果发现的证书是其自己的发行者，则假定它是根CA。换句话说，根CA需要自签名验证才能工作。

From 'verify' documentation: "If a certificate is found which is its own issuer it is assumed to be the root CA". In other words, root CA needs to self signed for verify to work. This is why your second command didn't work.

请尝试以下操作：

openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem

请在一个命令中验证整个链。

It will verify your entire chain in a single command.

这篇关于使用openssl验证验证证书链的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！