OpenSSL:无法获取本地颁发者证书 [英] OpenSSL: unable to get local issuer certificate
问题描述
我有一个证书C.pfx,给我使用OpenSSL。证书C.pfx具有以下认证路径:C-> B-> A
I have a certificate C.pfx that was given to me to work with OpenSSL. The certificate C.pfx has the following Certification path: C->B->A
我使用以下命令将C.pfx转换为PEM:
openssl pkcs12 -in C.pfx -out C.pem -nodes - WORKS OK
I converted C.pfx to PEM using the following command: openssl pkcs12 -in C.pfx -out C.pem -nodes -- WORKS OK
我在文件编辑器中打开了证书C.pem,看到它有RSA PRIVATE KEY和CERTIFICATE零件。
I opened the certificate C.pem in the file editor and see that it has both RSA PRIVATE KEY and CERTIFICATE parts.
我也看到在Windows XP的Trusted Roor Certification Athorities商店下安装的A和B证书。
I also see both A and B certificates installed under Trusted Roor Certification Athorities store in Windows XP.
目标是使用OpenSSL for Windows版本1.0.1c(目前是最新版本)对测试文件进行签名,加密,解密和验证
The goal is to sign, encrypt, decrypt and verify a test file using OpenSSL for Windows version 1.0.1c (it's currently the latest version)
我使用以下命令:
- 签名 -
openssl smime -sign -signer C.pem -in test.txt -out test.tmp -- WORKS OK
- TO ENCRYPT -
--TO ENCRYPT--
openssl smime -encrypt -in test.tmp -out test.enc C.pem -- WORKS OK
- TO DECRYPT -
--TO DECRYPT--
openssl smime -decrypt -in test.enc -recip C.pem -inkey C.pem -out test1.tmp -- WORKS OK
- TO VERIFY -
--TO VERIFY--
openssl smime -verify -in test1.tmp -CAfile "C.pem" -out notes1.txt -- FAILS
我使用MMC控制台将B和A证书导出到CER文件,然后使用OpenSSL将它们转换为PEM。之后,我尝试了以下2:
I used MMC console to export B and A certificates to CER files and then converted them to PEM using OpenSSL. After that I tried the following 2:
openssl smime -verify -in test1.tmp -CAfile "A.pem" -out notes1.txt -- FAILS
openssl smime -verify -in test1.tmp -CAfile "B.pem" -out notes1.txt -- FAILS
所有3次尝试VERIFY失败,出现以下错误:
All 3 attempts to VERIFY failed with the following error:
Verification failure
3672:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:.\crypt
o\pkcs7\pk7_smime.c:342:Verify error:unable to get local issuer certificate
我做错了什么?
推荐答案
当您使用 openssl smime verify openssl尝试验证通过检查其签名(即证书中的签名,而不是您请求验证的签名消息中的签名)来信任它使用的证书。为此,它必须具有颁发证书的CA的密钥的证书副本。
When you use openssl smime verify openssl attempts to verify that the certificate it is to use is trusted by checking its signature (that's the signature in the certificate, not the signature in the signed message that you asked to verify). To do that it has to have a copy of the certificate for the key of the CA that issued the certificate.
-CAfile 参数用于传递包含该CA证书的文件的名称,而不是用于对消息签名的密钥的证书。您可以使用 -certfile 参数指定用于签署邮件的密钥的证书,但在您的情况下,证书将位于 test.tmp 文件(您可以通过在签名消息时指定 -nocerts 来禁止)。
The -CAfile parameter is used to pass the name of the file containing that CA certificate, NOT the certificate of the key used to sign the message. You would specify the certficiate of the key used to sign the message with a -certfile parameter ... but in your case the certificate will be in the test.tmp file (you can suppress that by specifying -nocerts when you sign the message).
为了抑制在验证消息时检查密钥证书,您可以向verify命令提供 -noverify 参数(尽管 openssl smime verify -noverify 看起来有点奇怪)。
To suppress the checking of the key certificate when verifying a message you can supply the -noverify parameter to the verify command (though openssl smime verify -noverify does look a bit weird).
这篇关于OpenSSL:无法获取本地颁发者证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
