SSL握手失败,并带有-verisign链证书-包含两个CA签名证书和一个自签名证书 [英] SSL handshake fails with - a verisign chain certificate - that contains two CA signed certificates and one self-signed certificate
问题描述
我遇到了问题,并尝试对其进行调试.我们购买了Verisign证书.当我们使用时:
I am stuck with a issue and trying to debug it. We purchased a Verisign certificate. When we use:
openssl> s_client -connect myweb.com:443 -showcerts
SSL握手从未完成,最后我们看到错误:
SSL Handshake never completes and at the end we see error:
Verify return code: 19 (self signed certificate in certificate chain)
它显示3个---BEGIN/END CERTIFICATE---标签.链中有两个证书是Verisign签名的,但一个是自签名的.
It shows 3 ---BEGIN/END CERTIFICATE--- tags. Two certificates in chain are Verisign signed but one is self signed.
-
如果有人可以解释一下此自签名证书如何显示在CA签名证书中?
If someone can please explain how this self-signed certificate shows up in a CA signed certificate?
此错误19 (self signed certificate in certificate chain)是否是良性的?如果没有,可能是什么原因造成的?
Is this error 19 (self signed certificate in certificate chain) benign? If not, what could be causing it?
客户端在受信任的存储区中拥有CA证书,但自签名证书没有任何内容.您认为这可能会引起问题吗?如果是,我该怎么办:
Client has the CA certificate in trusted store but there is nothing for the self-signed certificate. Do you think that could be causing problem? If yes, how do I:
- 如何从链证书中去除自签名证书,而仅留下链中的2个CA签名证书?
- 将此自签名证书添加到客户信任的存储区吗?
推荐答案
CA颁发的根证书只是自签名证书(可以依次用于颁发中间CA证书).它们没有什么特别之处,只是它们已设法默认导入许多浏览器或OS信任锚中.
Root certificates issued by CAs are just self-signed certificates (which may in turn be used to issue intermediate CA certificates). They have not much special about them, except that they've managed to be imported by default in many browsers or OS trust anchors.
尽管我知道openssl命令不是,但在将浏览器和某些工具配置为默认情况下在位置中查找受信任的CA证书(其中一些可能是自签名的).
While browsers and some tools are configured to look for the trusted CA certificates (some of which may be self-signed) in location by default, as far as I'm aware the openssl command isn't.
因此,任何提供完整证书链(从其最终实体证书(服务器的证书)到根CA证书(可能带有中间CA证书))的服务器在链中都将具有自签名证书:根CA.
As such, any server that presents the full chain of certificate, from its end-entity certificate (the server's certificate) to the root CA certificate (possibly with intermediate CA certificates) will have a self-signed certificate in the chain: the root CA.
openssl s_client -connect myweb.com:443 -showcerts没有特别的理由来信任Verisign的根CA证书,并且由于它是自签名的,因此您将获得"证书链中的自签名证书".
openssl s_client -connect myweb.com:443 -showcerts doesn't have any particular reason to trust Verisign's root CA certificate, and because it's self-signed you'll get "self signed certificate in certificate chain".
如果您的系统具有默认情况下受信任的证书捆绑的位置(我认为RedHat/Fedora上的/etc/pki/tls/certs和Ubuntu/Debian上的/etc/ssl/certs),则可以将OpenSSL配置为使用它们作为信任锚像这样:
If your system has a location with a bundle of certificates trusted by default (I think /etc/pki/tls/certs on RedHat/Fedora and /etc/ssl/certs on Ubuntu/Debian), you can configure OpenSSL to use them as trust anchors, for example like this:
openssl s_client -connect myweb.com:443 -showcerts -CApath /etc/ssl/certs
这篇关于SSL握手失败,并带有-verisign链证书-包含两个CA签名证书和一个自签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
