针对其根 CA 验证 CRL 签名 [英] Verify CRL signature against its root CA
问题描述
我目前正在尝试验证我从 URL 下载的 CRL 是否是由相应证书颁发机构签名的有效文件.
I'm currently trying to verify that the CRL I download from a URL is a valid file, signed by the corresponding Certificate Authority.
使用 OpenSSL,您可以执行以下操作:
With OpenSSL, you can do this as follows :
https://www.openssl.org/docs/manmaster/apps/crl.html
CertEurope 颁发的 CRL 示例:
Example with the CRL issued from CertEurope :
openssl crl -in certeurope_v3.crl -inform der -CAfile certeurope_advanced_v3.cer
(CRL 文件和 CA 文件从这个 URL 下载:https://www.certeurope.fr/chaine-de-confiance )
(The CRL file and the CA file are downloaded from this URL : https://www.certeurope.fr/chaine-de-confiance )
- CA 文件:https://www.certeurope.fr/reference/certeurope_advanced_v3.cer
- CRL 文件:https://www.certeurope.fr/reference/certeurope_v3.crl
不幸的是,OpenSSL 在该命令行中出现错误:
Unfortunately, OpenSSL gets an error with that commmand line saying :
获取 CRL 颁发者证书时出错"
"Error getting CRL issuer certificate"
关于此链接:https://www.openssl.org/docs/manmaster/apps/verify.html原因似乎是这样的:
Regarding this link : https://www.openssl.org/docs/manmaster/apps/verify.html The reason seems to be this :
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:无法获取本地颁发者证书 找不到颁发者证书:这个如果不受信任的证书的颁发者证书不能被找到了.
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
这是不是因为 CA 文件不是用于签署 CRL 文件的文件?还有其他方法可以验证我下载的 CRL 文件是否有效吗?
Is this because the CA file is not the one used to sign the CRL file ? Is there another way to verify that the CRL file I download is valid ?
推荐答案
dave_thompson_085 的回答解决了我的问题.您需要 PEM 证书来检查 CRL 有效性.再次感谢.
dave_thompson_085 's answer fixed my problem. You need a PEM certificate to check CRL validity. Thanks again.
这篇关于针对其根 CA 验证 CRL 签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
