如何使用openssl获取根CA证书指纹 [英] How to get the Root CA Certificate Fingerprint using openssl

问题描述

通过使用以下命令，我可以验证所提供证书的sha1指纹:

By using the following command, I can verify the sha1 fingerprint of the presented certificate:

$ openssl s_client -connect hooks.slack.com:443 -showcerts < /dev/null 2>/dev/null   | openssl x509 -in /dev/stdin -sha1 -noout -fingerprint
SHA1 Fingerprint=AB:F0:5B:A9:1A:E0:AE:5F:CE:32:2E:7C:66:67:49:EC:DD:6D:6A:38

但是，如果我想获得顶级签名机构的指纹怎么办?

But what if I want to get the fingerprint of the Top Level Signing Authority?

$ openssl s_client -connect hooks.slack.com:443 < /dev/null 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Slack Technologies, Inc/CN=*.slack.com
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA <- **I WANT THIS SHA1**

如果要针对Java密钥库对此进行验证，请明确检查它是否包含相同的CA.

In the case that I want to verify this against a Java keystore, to check definitively if it contains the same CA.

geotrustglobalca, 18-Jul-2003, trustedCertEntry,
Certificate fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12

由于"geotrustglobalca"和"/C = US/O = GeoTrust Inc./CN=GeoTrust Global CA"与实际情况没有可比性.

Since "geotrustglobalca" and "/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA" aren't really comparable.

推荐答案

我不确定这可以直接回答您的问题，但是如果服务器将根证书作为链的一部分提供(这是可选的，因此可能不会)，则可以使用-showcerts选项显示所有这些内容.

I'm not sure this directly answers your question, but if the server presents the root certificate as part of the chain (this is optional, so it may not), you can use the -showcerts option to show all of them.

我以前将它们放在一起(希望有人可以改进)，以便获得每个证书的指纹.如果需要，您可以在最后使用openssl x509的参数来获取不同的信息.

I put this together previously (which hopefully someone can improve upon) in order to get the thumbprint for each of the certificates. You can play with the arguments to openssl x509 at the end to get different information if you need.

echo "" | openssl s_client -showcerts -connect eistest.mtsu.edu:443 2>&1 |\ 
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p;/-END CERTIFICATE-/a\\x0' |\ 
sed -e '$ d' |\ 
xargs -0rl -I% sh -c "echo '%' | openssl x509 -subject -issuer -fingerprint -noout"

在openssl s_client中返回一个空字符串可以防止它等待连接超时. 第一个sed仅输出PEM格式的证书，以NUL字符分隔.

Echoing a null string to openssl s_client keeps it from waiting for the connection to time out. The first sed will output only the PEM formatted certificates, separated by a NUL character.

这篇关于如何使用openssl获取根CA证书指纹的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！