Linux上的openSSL证书验证 [英] openSSL certificate-verification on Linux

问题描述

JKJS

我有以下证书链: rcert.pem(自签名)-> scert.pem-> ccert.pem

I have this chain of certificates: rcert.pem(self-signed) -->scert.pem -->ccert.pem

这三个证书都是由我生成的，任何地方都没有互联网连接，这是完美的脱机工作. 现在，下面是一些命令及其输出:

All three certificates are generated by me.No internet connection is used anywhere.This is perfect offline work. Now,below are some commands and their output:

hari@harikrishna:~/hari$ openssl verify rcert.pem
rcert.pem: C = IN, ST = OM, L = OM, O = HARI, OU = HARI, CN = OM, emailAddress = OM
error 18 at 0 depth lookup:self signed certificate
OK
hari@harikrishna:~/hari$ openssl verify -CAfile rcert.pem scert.pem
scert.pem: OK
hari@harikrishna:~/hari$ openssl verify -CAfile rcert.pem rcert.pem
rcert.pem: OK
hari@harikrishna:~/hari$ openssl verify -CAfile rcert.pem -untrusted scert.pem ccert.pem
ccert.pem: C = IN, ST = HARI, L = HARI, O = HARI, OU = HARI, CN = HARI, emailAddress = HARI
error 24 at 1 depth lookup:invalid CA certificate
OK

为什么会创建错误24.如何删除它?它是受信任的还是不受信任的?

Why is error 24 created.How to remove it?Is it something like trusted or untrusted?

谢谢.

推荐答案

JKJS

我自己的问题的答案:

1)通过以下命令创建根CA证书:

1)Created root CA certificate by these commands:

openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem

openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out rootcert.pem

2)通过以下命令将CA证书安装为受信任证书:

2)Installed CA certificate as trusted certificate by following commands:

sudo mkdir /usr/share/ca-certificates/extra

sudo cp rootcert.pem /usr/share/ca-certificates/extra/rootcert.crt

sudo dpkg-reconfigure ca-certificates

sudo update-ca-certificates

3)通过以下命令创建由根CA签名的中间证书:

3)Created intermediate certificate signed by root CA by following commands:

openssl req -newkey rsa:1024 -sha1 -keyout skey.pem -out sreq.pem

sudo openssl x509 -req -in sreq.pem -sha1 -CA /etc/ssl/certs/rootcert.pem -CAkey rootkey.pem -CAcreateserial -out scert.pem

4)通过以下命令创建由中间CA签名的客户端证书:

4)Created client certificate signed by intermediate CA by following commands:

openssl req -newkey rsa:1024 -sha1 -keyout ckey.pem -out creq.pem

openssl x509 -req -in creq.pem -sha1 -CA scert.pem -CAkey skey.pem -CAcreateserial -out ccert.pem

现在，信任链工作正常:

Now, Chain Of Trust is working fine:

1)验证根CA

openssl verify rootcert.pem 
rootcert.pem: OK

2)验证中间CA

openssl verify scert.pem 
scert.pem: OK

3)验证客户证书

openssl verify -CAfile scert.pem ccert.pem
ccert.pem: OK

这篇关于Linux上的openSSL证书验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！