SSL 证书链捆绑包如何工作? [英] How does an SSL certificate chain bundle work?

问题描述

我已经创建了这样的链式层次结构.

I've created a chain hierarchy like this.

root-ca ==> signing-ca ==> subordinate-ca ==> server

提到要创建chain bundle，应该是最低的优先.

It is mentioned to create chain bundle, the lowest should go first.

$ cat server.crt subordinate-ca.crt signing-ca.crt > server.pem

但验证失败.

$ openssl verify -CAfile root-ca.crt server.pem
error 20 at 0 depth lookup:unable to get local issuer certificate

但是，如果我更改顺序，它似乎可以工作.

However, if I change the order it seems to work.

$ cat signing-ca.crt subordinate-ca.crt server.crt > server.pem
$ openssl verify -CAfile root-ca.crt server.pem
server.pem: OK

那么这里的错误是什么?

So what would be the error here?

猫"后面的链如下所示.

The chain after "cat" looks like below.

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

更多信息:根据http://www.herongyang.com/crypto/openssl_verify_2.html"，我执行了以下有效的测试.

More info: According to "http://www.herongyang.com/crypto/openssl_verify_2.html", I perform the following test which works.

$ cat signing-ca.crt subordinate-ca.crt > inter.crt
$ openssl verify -CAfile root-ca.crt -untrusted inter.crt server.crt
server.crt: OK

这是否意味着所有链接都很好?

Does that mean all the links are good?

好的，我终于发现这不能通过 OpenSSL 命令行完成(或者至少很容易).http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43871.html

OK, I finally discover that this cannot be done through OpenSSL command line (or at least easily). http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43871.html

推荐答案

原来的顺序其实是倒过来的.证书应该后跟颁发证书，直到最后一个证书由已知根根据 IETF 的 RFC 5246 第 7.4.2 节

The original order is in fact backwards. Certs should be followed by the issuing cert until the last cert is issued by a known root per IETF's RFC 5246 Section 7.4.2

这是一个证书序列(链).发件人证明必须在列表中排在第一位.以下每个证书必须直接证明前面的那个.

This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it.

另请参阅 SSL: error:0B080074:x509证书例程:X509_check_private_key:key values mismatch 用于故障排除技术.

See also SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch for troubleshooting techniques.

但我仍然不知道他们为什么要编写规范以便顺序很重要.

But I still don't know why they wrote the spec so that the order matters.

这篇关于SSL 证书链捆绑包如何工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！