SSL证书链包如何工作? [英] How does an SSL certificate chain bundle work?
问题描述
我已经创建了一个这样的链层次结构。
root-ca ==& signing-ca ==> subordinate-ca ==>服务器
提到创建链包,最低的应该先。
$ cat server.crt subordinate-ca.crt signing-ca.crt> server.pem
但验证失败。
$ openssl verify -CAfile root-ca.crt server.pem
错误20在0深度查找:无法获取本地颁发者证书
但是,如果我改变顺序,似乎工作。
code> $ cat signing-ca.crt subordinate-ca.crt server.crt> server.pem
$ openssl verify -CAfile root-ca.crt server.pem
server.pem:OK
那么这里的错误是什么?
cat之后的链接如下所示。
---- BEGIN CERTIFICATE -----
...
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
...
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
...
----- END CERTIFICATE -----
更多信息:根据 http://www.herongyang.com/crypto/openssl_verify_2.html ,我执行以下测试。 p>
$ cat signing-ca.crt subordinate-ca.crt> inter.crt
$ openssl verify -CAfile root-ca.crt -untrusted inter.crt server.crt
server.crt:OK
这是否意味着所有的链接都是好的?
OK,我终于发现这不能通过OpenSSL命令线(或至少容易)。 http://openssl.6102.n7.nabble。
解决方案编辑:我对证据的正确顺序提出了虚假的说法; OP的原始顺序实际上是倒退的。证书应该是后面颁发证书,直到已知根证书颁发最后一个证书。请参见 SSL:错误:0B080074:x509证书例程:X509_check_private_key :键值不匹配用于故障排除技巧。
但我还是不知道他们为什么写这个规格,所以订单很重要。
I've created a chain hierarchy like this.
root-ca ==> signing-ca ==> subordinate-ca ==> server
It is mentioned to create chain bundle, the lowest should go first.
$ cat server.crt subordinate-ca.crt signing-ca.crt > server.pem
But verification fails.
$ openssl verify -CAfile root-ca.crt server.pem error 20 at 0 depth lookup:unable to get local issuer certificate
However, if I change the order it seems to work.
$ cat signing-ca.crt subordinate-ca.crt server.crt > server.pem $ openssl verify -CAfile root-ca.crt server.pem server.pem: OK
So what would be the error here?
The chain after "cat" looks like below.
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
More info: According to "http://www.herongyang.com/crypto/openssl_verify_2.html", I perform the following test which works.
$ cat signing-ca.crt subordinate-ca.crt > inter.crt $ openssl verify -CAfile root-ca.crt -untrusted inter.crt server.crt server.crt: OK
Does that mean all the links are good?
OK, I finally discover that this cannot be done through OpenSSL command line (or at least easily). http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43871.html
解决方案Edit: I had asserted false things about the correct order of the certs; the OP's original order is in fact backwards. Certs should be followed by the issuing cert until the last cert is issued by a known root. See SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch for troubleshooting techniques.
But I still don't know why they wrote the spec so that the order matters.
这篇关于SSL证书链包如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!