有没有办法检查SSL数字证书是否有效而无需在Web服务器上安装？ [英] Is there a way to check if the SSL digital certificate is valid without installing on the web server?

问题描述

是否有任何工具或机制可以帮助验证CA颁发的SSL证书，然后再将其安装到目标Web服务器上？

Are there any tools or mechanism(s) which can help validate a CA issued SSL certificate before installing it on the target web server?

推荐答案

是的，您可以使用openssl使用s_server命令为证书创建测试服务器。这将创建一个最小的SSL / TLS服务器，响应端口8080上的HTTP请求：

Yes, you can use openssl to create a test server for your certificate with the s_server command. This creates a minimal SSL/TLS server that responds to HTTP requests on port 8080:

openssl s_server -accept 8080 -www -cert yourcert.pem -key yourcert.key -CAfile chain.pem

yourcert.pem是X.509 certificate，yourcert.key是您的私钥，chain.pem包含证书和根证书之间的信任链。您的CA应该已经为您提供了yourcert.pem和chain.pem。

yourcert.pem is the X.509 certificate, yourcert.key is your private key and chain.pem contains the chain of trust between your certificate and a root certificate. Your CA should have given you yourcert.pem and chain.pem.

然后使用openssl的s_client建立连接：

Then use openssl's s_client to make a connection:

openssl s_client -connect localhost:8080 -showcerts -CAfile rootca.pem

或在Linux上：

openssl s_client -connect localhost:8080 -showcerts -CApath /etc/ssl/certs

警告：该命令不验证主机名是否与CN（公用名）或SAN匹配您的证书的（subjectAltName）。 OpenSSL还没有该任务的例程。它将在OpenSSL 1.1中添加。

Caution: That command doesn't verify that the host name matches the CN (common name) or SAN (subjectAltName) of your certificate. OpenSSL doesn't have a routine for the task yet. It's going to be added in OpenSSL 1.1.

这篇关于有没有办法检查SSL数字证书是否有效而无需在Web服务器上安装？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！