SSL 握手失败 - 一个 verisign 链证书 - 包含两个 CA 签名证书和一个自签名证书 [英] SSL handshake fails with - a verisign chain certificate - that contains two CA signed certificates and one self-signed certificate
问题描述
我遇到了一个问题并试图调试它.我们购买了威瑞信证书.当我们使用:
I am stuck with a issue and trying to debug it. We purchased a Verisign certificate. When we use:
openssl> s_client -connect myweb.com:443 -showcerts
SSL 握手永远不会完成,最后我们看到错误:
SSL Handshake never completes and at the end we see error:
Verify return code: 19 (self signed certificate in certificate chain)
它显示了 3 个 ---BEGIN/END CERTIFICATE--- 标签.链中的两个证书是威瑞信签名的,但一个是自签名的.
It shows 3 ---BEGIN/END CERTIFICATE--- tags. Two certificates in chain are Verisign signed but one is self signed.
如果有人能解释一下这个自签名证书是如何出现在 CA 签名证书中的?
If someone can please explain how this self-signed certificate shows up in a CA signed certificate?
这个错误19(证书链中的自签名证书)是良性的吗?如果不是,可能是什么原因造成的?
Is this error 19 (self signed certificate in certificate chain) benign? If not, what could be causing it?
客户端在受信任的存储中拥有 CA 证书,但自签名证书没有任何内容.你认为这会导致问题吗?如果是,我该怎么做:
Client has the CA certificate in trusted store but there is nothing for the self-signed certificate. Do you think that could be causing problem? If yes, how do I:
- 如何去掉链式证书中的自签名证书,只留下链式证书中的 2 个 CA 签名证书?
- 将此自签名证书添加到客户端受信任的存储中?
推荐答案
CA 颁发的根证书只是自签名证书(反过来又可以用于颁发中间 CA 证书).它们没有什么特别之处,除了它们已经设法在许多浏览器或操作系统信任锚中默认导入.
Root certificates issued by CAs are just self-signed certificates (which may in turn be used to issue intermediate CA certificates). They have not much special about them, except that they've managed to be imported by default in many browsers or OS trust anchors.
虽然浏览器和一些工具被配置为在默认位置查找受信任的 CA 证书(其中一些可能是自签名的),但据我所知,openssl 命令是't.
While browsers and some tools are configured to look for the trusted CA certificates (some of which may be self-signed) in location by default, as far as I'm aware the openssl command isn't.
因此,任何提供完整证书链的服务器,从其最终实体证书(服务器的证书)到根 CA 证书(可能带有中间 CA 证书)都将在链中拥有一个自签名证书:根 CA.
As such, any server that presents the full chain of certificate, from its end-entity certificate (the server's certificate) to the root CA certificate (possibly with intermediate CA certificates) will have a self-signed certificate in the chain: the root CA.
openssl s_client -connect myweb.com:443 -showcerts 没有任何特别的理由信任 Verisign 的根 CA 证书,因为它是自签名的,所以您将获得self证书链中的签名证书".
openssl s_client -connect myweb.com:443 -showcerts doesn't have any particular reason to trust Verisign's root CA certificate, and because it's self-signed you'll get "self signed certificate in certificate chain".
如果你的系统有一个默认信任的证书包的位置(我认为 /etc/pki/tls/certs 在 RedHat/Fedora 和 /etc/ssl/certs 在 Ubuntu/Debian 上),您可以配置 OpenSSL 将它们用作信任锚,例如:
If your system has a location with a bundle of certificates trusted by default (I think /etc/pki/tls/certs on RedHat/Fedora and /etc/ssl/certs on Ubuntu/Debian), you can configure OpenSSL to use them as trust anchors, for example like this:
openssl s_client -connect myweb.com:443 -showcerts -CApath /etc/ssl/certs
这篇关于SSL 握手失败 - 一个 verisign 链证书 - 包含两个 CA 签名证书和一个自签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
