无法 openssl 验证 SSL 证书 [英] Unable to openssl verify SSL certificate
问题描述
我想做什么:使用 openssl -connect 获得与远程站点的干净连接.
What I want to do:
Get a clean connection with openssl -connect to a remote site.
网站似乎是自签名的.
What I'm getting: CONNECTED(00000003)
depth=0 CN = DC01.home.pri
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=21:unable to verify the first certificate
verify return:1
...
...
Verify return code: 21 (unable to verify the first certificate)
我尝试过的:
echo -n | openssl s_client -connect DC01.home.pri:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
echo -n | openssl s_client -connect DC01.home.pri:636 -CAfile ldapserver.pem
sudo cp ldapserver.pem /etc/ssl/certs/ldapserver.pem
sudo c_rehash /etc/ssl/certs/
echo -n | openssl s_client -connect dc01.home.pri:636 -CApath /etc/ssl/certs/
我也试过
openssl verify -CAfile /etc/ssl/certs/ldapserver.pem ldapserver.pem
openssl verify -CApath /etc/ssl/certs/ ldapserver.pem
结果
ldapserver.pem: CN = DC01.home.pri
error 20 at 0 depth lookup:unable to get local issuer certificate
我已更改 CN/主机名以保护自己.但是主机名也会添加到我的主机文件中,以防万一.
I have changed the CN/Hostname to guard myself. But the hostname is also added to my hosts file, in case it helps.
经过审查的 PEM 文件
Censored PEM file
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
64:c7:48:64:00:00:00:00:00:d0
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=pri, DC=home, CN=home-HOMECA-CA
Validity
Not Before: Mar 7 22:41:45 2015 GMT
Not After : Mar 6 22:41:45 2016 GMT
Subject: CN=DC01.home.pri
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
<CENSORED>
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.20.2:
. .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
S/MIME Capabilities:
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
X509v3 Subject Alternative Name:
othername:<unsupported>, DNS:DC01.home.pri
X509v3 Subject Key Identifier:
<CENSORED>
X509v3 Authority Key Identifier:
keyid:<CENSORED>
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=home-HOMECA-CA,CN=HOMECA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://homeca.home.pri/CertEnroll/home-HOMECA-CA.crl
Authority Information Access:
CA Issuers - URI:ldap:///CN=home-CA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?cACertificate?base?objectClass=certificationAuthority
Signature Algorithm: sha1WithRSAEncryption
<CENSORED>
推荐答案
你发布的证书不是自签名的;发行者 (DC=pri, DC=home, CN=home-HOMECA-CA) 与主体 (CN=DC01.home.pri) 不同.
The certificate you posted is not self-signed; the issuer (DC=pri, DC=home, CN=home-HOMECA-CA) differs from the subject (CN=DC01.home.pri).
验证证书时,OpenSSL 无法找到用于验证签名的颁发者(或在 TLS 握手期间从 Web 服务器接收到的链中第一个证书的颁发者)的本地证书.
When validating the certificate, OpenSSL is unable to find a local certificate for the issuer (or the issuer of the first certificate in the chain received from the web server during the TLS handshake) with which to verify the signature(s).
您需要向 openssl verify 提供 issuer 证书(或将其保存在您的信任库中):
You need to give openssl verify the issuer certificate (or have it in your trust store):
openssl verify -CApath /etc/ssl/certs/<issuer-cert>.pem
这篇关于无法 openssl 验证 SSL 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
