使用 openssl 验证 x509 证书是否有效并由受信任的 CA 签名 [英] Verify x509 certificate with openssl to be valid and signed by trusted CAs

问题描述

在 shell 脚本中，我想使用 openssl 验证 x509 证书，以确保它有效并由我的一个根 CA 签名.我试过这个:

In a shell script I want to verify a x509 certificate with openssl to be sure that it is valid and signed by one of my root CAs. I tried this:

openssl verify -CAfile /path/to/CAfile mycert.pem

它有效，但对于自签名证书，我得到了输出:

It works but for a self signed certificate I get the output:

error 18 at 0 depth lookup:self signed certificate
OK

显示错误，但以 OK 结尾，状态代码为 0，因此我的脚本中没有错误.

The error is shown but it ends with OK and the status code is 0 so I don't get an error in my script.

我可以解析输出，但对于安全的生产环境来说，这不是一个健壮的代码.

I could parse the output but that's not a robust code for a secure production environment.

我需要一个在自签名证书上产生错误的命令.

I need a command that yields an error on self signed certificates.

编辑

% openssl version 
OpenSSL 1.0.2k-fips  26 Jan 2017
% cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.9 (Maipo)

适用于 openssl 1.1.1

works with openssl 1.1.1

推荐答案

使用您的代码、虚拟 CA 和虚拟自签名证书，我无法复制您的结果.请更新您的示例或包含 openssl 版本.

Using your code, a dummy CA and a dummy self-signed cert I cannot replicate your results. Please update your example or include the openssl version.

最后的输出行是 error: mycert.pem: verify failed 并且返回代码是 2 (echo $?)，而不是返回 0 的 OK 消息代码.我还收到您收到的错误 18 自签名消息.我使用的是 openssl 1.1.1i.

Last output line is error: mycert.pem: verification failed and the return code is 2 (echo $?) as opposed to the OK message with a 0 return code. I also get the error 18 self-signed message you received. I am using openssl 1.1.1i.

错误 18 实际上是一个可靠的错误代码，在 openssl verify 手册页中记录为专门用于自签名证书的代码.

Error 18 is in fact, a robust error code and is documented in the openssl verify man page as the code specifically for self signed certificates.

这篇关于使用 openssl 验证 x509 证书是否有效并由受信任的 CA 签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！