使用 openssl verify 验证证书链 [英] Verify a certificate chain using openssl verify

问题描述

我正在使用以下组件构建自己的证书链:

I'm building a own certificate chain with following componenents:

Root Certificate - Intermediate Certificate - User Certificate

Root Cert 是自签名证书，Intermediate Certificate 由 Root 签名，User 由 Intermediate 签名.

Root Cert is a self signed certificate, Intermediate Certificate is signed by Root and User by Intermediate.

现在我想通过根证书验证用户证书是否有其锚点.

Now I want to verify if a User Certificate has its anchor by Root Certificate.

与

openssl verify -verbose -CAfile RootCert.pem Intermediate.pem

验证没问题.在下一步中，我使用

the validation is ok. In the next step I validate the User Cert with

openssl verify -verbose -CAfile Intermediate.pem UserCert.pem

和验证显示

error 20 at 0 depth lookup:unable to get local issuer certificate

怎么了?

推荐答案

来自 verify 文档:

如果发现证书是它自己的颁发者，则假定它是根 CA.

If a certificate is found which is its own issuer it is assumed to be the root CA.

换句话说，根 CA 需要自签名才能进行验证.这就是您的第二个命令不起作用的原因.试试这个:

In other words, root CA needs to be self signed for verify to work. This is why your second command didn't work. Try this instead:

openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem

它将在一个命令中验证您的整个链.

It will verify your entire chain in a single command.

这篇关于使用 openssl verify 验证证书链的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！