如何将CA证书捆绑包拆分为单独的文件? [英] How can I split a CA certificate bundle into separate files?
问题描述
我正在使用OpenSSL,并且需要健全的默认CA列表.我正在使用Mozilla的受信任CA列表,如由cURL捆绑在一起.但是,我需要拆分这组CA证书,因为 OpenSSL文档说:
I'm working with OpenSSL and need a sane default list of CAs. I'm using Mozilla's list of trusted CAs, as bundled by cURL. However, I need to split this bundle of CA certs, because the OpenSSL documentation says:
如果CApath不为NULL,则它指向包含PEM格式的CA证书的目录.每个文件包含一个CA证书.通过CA使用者名称哈希值查找文件,因此必须可用.
If CApath is not NULL, it points to a directory containing CA certificates in PEM format. The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available.
例如,直接使用ca-bundle.crt文件可以正常工作:
For example, using the ca-bundle.crt file directly works fine:
openssl-1.0.1g> ./apps/openssl s_client -connect www.google.com:443 -CAfile /home/user/certs/ca-bundle.crt
...
Verify return code: 0 (ok)
---
DONE
但是指定包含ca-bundle.crt文件的目录不起作用:
But specifying the directory containing the ca-bundle.crt file does not work:
openssl-1.0.1g> ./apps/openssl s_client -connect www.google.com:443 -CApath /opt/aspera/certs
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
我认为这是因为我的文件夹不符合文档的要求(即,目录包含PEM格式的CA证书,每个文件包含一个证书,由哈希值命名).我的目录只有一捆证书.
I presume this is because my folder doesn't adhere to what the documentation asks for (namely, a directory containing CA certs in PEM format, with each file containing one cert, named by hash value). My directory just has the single bundle of certs.
如何将我的证书捆绑在一起以遵守OpenSSL的要求,即每个证书都位于单独的文件中?如果也可以进行哈希处理,则可以得到一些好处(不过如果需要的话,如果所有证书都在单独的文件中,我可以自己编写一个脚本来执行此操作).
How can I split my bundle of certs to adhere to OpenSSL's request that each cert be in an individual file? Bonus points if the hashing can be done too (though if needed I could write a script to do that myself if all the certs are in individual files).
推荐答案
您可以在适当的目录中使用awk拆分捆绑包,如下所示:
You can split the bundle with awk, like this, in an appropriate directory:
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < ca-bundle.pem
然后,通过运行OpenSSL随附的c_rehash实用程序来创建OpenSSL所需的链接:
Then, create the links OpenSSL wants by running the c_rehash utility that comes with OpenSSL:
c_rehash .
注意:在非linux平台上使用'gawk'-如上所述,它依赖于GNU特定功能.
这篇关于如何将CA证书捆绑包拆分为单独的文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
