SSL证书链包如何工作？ [英] How does an SSL certificate chain bundle work?

查看：314 发布时间：2016/11/15 18:23:26 ssl openssl certificate ssl-certificate x509certificate

本文介绍了SSL证书链包如何工作？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我已经创建了一个这样的链层次结构。

  root-ca ==& signing-ca ==> subordinate-ca ==>服务器

提到创建链包，最低的应该先。

  $ cat server.crt subordinate-ca.crt signing-ca.crt> server.pem

但验证失败。

$ openssl verify -CAfile root-ca.crt server.pem 错误20在0深度查找：无法获取本地颁发者证书

但是，如果我改变顺序，似乎工作。

 code> $ cat signing-ca.crt subordinate-ca.crt server.crt> server.pem 
 $ openssl verify -CAfile root-ca.crt server.pem 
 server.pem：OK

那么这里的错误是什么？

cat之后的链接如下所示。

  ---- BEGIN CERTIFICATE ----- 
 ... 
 ----- END CERTIFICATE ----- 
 ----- BEGIN CERTIFICATE ----- 
 ... 
 ----- END CERTIFICATE ----- 
 ----- BEGIN CERTIFICATE ----- 
 ... 
 ----- END CERTIFICATE -----

更多信息：根据 http://www.herongyang.com/crypto/openssl_verify_2.html ，我执行以下测试。 p>

  $ cat signing-ca.crt subordinate-ca.crt> inter.crt 
 $ openssl verify -CAfile root-ca.crt -untrusted inter.crt server.crt 
 server.crt：OK

这是否意味着所有的链接都是好的？

OK，我终于发现这不能通过OpenSSL命令线（或至少容易）。 http：//openssl.6102.n7.nabble。

解决方案

编辑：我对证据的正确顺序提出了虚假的说法; OP的原始顺序实际上是倒退的。证书应该是后面颁发证书，直到已知根证书颁发最后一个证书。请参见 SSL：错误：0B080074：x509证书例程：X509_check_private_key ：键值不匹配用于故障排除技巧。

但我还是不知道他们为什么写这个规格，所以订单很重要。

I've created a chain hierarchy like this.

root-ca ==> signing-ca ==> subordinate-ca ==> server

It is mentioned to create chain bundle, the lowest should go first.

$ cat server.crt subordinate-ca.crt signing-ca.crt > server.pem

But verification fails.

$ openssl verify -CAfile root-ca.crt server.pem
error 20 at 0 depth lookup:unable to get local issuer certificate

However, if I change the order it seems to work.

$ cat signing-ca.crt subordinate-ca.crt server.crt > server.pem
$ openssl verify -CAfile root-ca.crt server.pem
server.pem: OK

So what would be the error here?

The chain after "cat" looks like below.

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

More info: According to "http://www.herongyang.com/crypto/openssl_verify_2.html", I perform the following test which works.

$ cat signing-ca.crt subordinate-ca.crt > inter.crt
$ openssl verify -CAfile root-ca.crt -untrusted inter.crt server.crt
server.crt: OK

Does that mean all the links are good?

OK, I finally discover that this cannot be done through OpenSSL command line (or at least easily). http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43871.html

解决方案

Edit: I had asserted false things about the correct order of the certs; the OP's original order is in fact backwards. Certs should be followed by the issuing cert until the last cert is issued by a known root. See SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch for troubleshooting techniques.

But I still don't know why they wrote the spec so that the order matters.

这篇关于SSL证书链包如何工作？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

SSL证书链包如何工作？ [英] How does an SSL certificate chain bundle work?

问题描述

相关文章

IT认证最新文章

热门教程

热门工具

登录关闭

SSL证书链包如何工作？ [英] How does an SSL certificate chain bundle work?

问题描述

相关文章

IT认证最新文章

热门教程

热门工具

登录 关闭

登录关闭