使用 openssl verify 验证证书链 [英] Verify a certificate chain using openssl verify
问题描述
我正在使用以下组件构建自己的证书链:
I'm building a own certificate chain with following componenents:
Root Certificate - Intermediate Certificate - User Certificate
Root Cert 是自签名证书,Intermediate Certificate 由 Root 签名,User 由 Intermediate 签名.
Root Cert is a self signed certificate, Intermediate Certificate is signed by Root and User by Intermediate.
现在我想通过根证书验证用户证书是否有其锚点.
Now I want to verify if a User Certificate has its anchor by Root Certificate.
与
openssl verify -verbose -CAfile RootCert.pem Intermediate.pem
验证没问题.在下一步中,我使用
the validation is ok. In the next step I validate the User Cert with
openssl verify -verbose -CAfile Intermediate.pem UserCert.pem
和验证显示
error 20 at 0 depth lookup:unable to get local issuer certificate
怎么了?
推荐答案
来自 verify
文档:
如果发现证书是它自己的颁发者,则假定它是根 CA.
If a certificate is found which is its own issuer it is assumed to be the root CA.
换句话说,根 CA 需要自签名才能进行验证.这就是您的第二个命令不起作用的原因.试试这个:
In other words, root CA needs to be self signed for verify to work. This is why your second command didn't work. Try this instead:
openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem
它将在一个命令中验证您的整个链.
It will verify your entire chain in a single command.
这篇关于使用 openssl verify 验证证书链的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!