有没有办法检查SSL数字证书是否有效而无需在Web服务器上安装? [英] Is there a way to check if the SSL digital certificate is valid without installing on the web server?
问题描述
是否有任何工具或机制可以帮助验证CA颁发的SSL证书,然后再将其安装到目标Web服务器上?
Are there any tools or mechanism(s) which can help validate a CA issued SSL certificate before installing it on the target web server?
推荐答案
是的,您可以使用openssl使用s_server命令为证书创建测试服务器。这将创建一个最小的SSL / TLS服务器,响应端口8080上的HTTP请求:
Yes, you can use openssl to create a test server for your certificate with the s_server command. This creates a minimal SSL/TLS server that responds to HTTP requests on port 8080:
openssl s_server -accept 8080 -www -cert yourcert.pem -key yourcert.key -CAfile chain.pem
yourcert.pem是X.509 certificate,yourcert.key是您的私钥,chain.pem包含证书和根证书之间的信任链。您的CA应该已经为您提供了yourcert.pem和chain.pem。
yourcert.pem is the X.509 certificate, yourcert.key is your private key and chain.pem contains the chain of trust between your certificate and a root certificate. Your CA should have given you yourcert.pem and chain.pem.
然后使用openssl的s_client建立连接:
Then use openssl's s_client to make a connection:
openssl s_client -connect localhost:8080 -showcerts -CAfile rootca.pem
或在Linux上:
openssl s_client -connect localhost:8080 -showcerts -CApath /etc/ssl/certs
警告:该命令不验证主机名是否与CN(公用名)或SAN匹配您的证书的(subjectAltName)。 OpenSSL还没有该任务的例程。它将在OpenSSL 1.1中添加。
Caution: That command doesn't verify that the host name matches the CN (common name) or SAN (subjectAltName) of your certificate. OpenSSL doesn't have a routine for the task yet. It's going to be added in OpenSSL 1.1.
这篇关于有没有办法检查SSL数字证书是否有效而无需在Web服务器上安装?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!