Openssl 使用链式 CA 和链式证书进行验证 [英] Openssl verify with chained CA and chained Cert
问题描述
我有一个证书链:根 CA ->中间CA->org CA ->客户端证书
当我使用 CA 验证客户端证书作为 root CA ->中间CA->org CA,它的工作原理:
When I verify the client cert with CA as root CA -> intermediate CA -> org CA, it works:
$ cat org_1_ca/ca_crt.pem intermediate_ca/ca_crt.pem root_ca/ca_crt.pem >/tmp/test123.pem$ openssl 验证 -CAfile/tmp/test123.pem client/client_crt.pemclient_crt.pem:好的
但是当我用 org CA (org CA -> client Cert) 链接我的客户端证书,并将链的其余部分作为 CA (root CA -> 中间 CA),它不会:
But when I chained my client cert with org CA (org CA -> client Cert), and have the rest of the chain as CA (root CA -> intermediate CA), it doesn't:
$ cat intermediate_ca/ca_crt.pem root_ca/ca_crt.pem >/tmp/test12.pem$ openssl verify -CAfile/tmp/test12.pem client/org1_client_crt.pemclient/org1_client_crt.pem:C = US,ST = CA,L = LA,O = PP,OU = TEST,CN = 用户0 深度查找时出现错误 20:无法获取本地颁发者证书
这是根本错误的事情还是 openssl verify 不喜欢这样?我用 nginx 和 openssl connect 尝试了同样的事情,但没有运气.任何帮助表示赞赏.
Is this something that fundamentally wrong or openssl verify doesn't like that? I tried the same thing with nginx and and openssl connect and there was no luck there. Any help is appreciated.
推荐答案
openssl命令行verify操作只读取一个证书,第一个一个,来自作为操作数给出的文件,或者如果给出多个文件,则来自每个文件.这与使用 -CAfile -trusted -untrusted 选项指定的文件不同,后者可以(并且通常确实)包含多个证书.
The openssl commandline verify operation reads only one certificate, the first one, from the file given as operand, or from each file if more than one is given. This differs from the files specified with the -CAfile -trusted -untrusted options which can (and typically do) contain multiple certs.
您的文件 client/org1_client_crt.pem 大概按顺序包含客户端证书和org CA"证书.仅使用客户端证书,org CA"证书被忽略,因此您没有要验证的有效链.
Your file client/org1_client_crt.pem presumably contains the client cert and the 'org CA' cert, in that order. Only the client cert is used, the 'org CA' cert is ignored, and as a result you do not have a valid chain to verify.
如果您想使用命令行来模拟/测试接收器(对于客户端证书,服务器)将执行的验证,请提供叶证书作为操作数,并使用 提供所有其他传输(链)证书 -不受信任的,以及锚点加上信任库中的任何已知"中间体,无论是显式的还是默认的.
If you want to use commandline to mimic/test the validation that a receiver (for a client cert, the server) would do, supply the leaf cert as the operand and all other transmitted (chain) certs with -untrusted, and the anchor(s) plus any 'known' intermediates in the truststore either explicit or defaulted.
没有openssl connect操作;我假设您的意思是 openssl s_client 选项包括 -connect 因为这是使用客户端证书链的一个地方.s_client 的 -cert 选项同样只使用文件中的第一个证书.除了最新版本 1.1.0 外,命令行上没有指定客户端链的选项,即使在那里也没有记录,因此您必须仔细阅读帮助消息或代码,尽管 API/库很长支持您自己编写的代码.
There is no openssl connect operation; I assume you mean openssl s_client with options including -connect since that's one place it would make sense to use a client cert chain. The -cert option to s_client similarly uses only the first cert in the file. There is no option on commandline to specify the client chain except in the most recent version, 1.1.0, and even there it isn't documented so you have to read the help message carefully or the code, although the API/library has long supported this for code you write yourself.
如果您想通过 1.0.2 向服务器发送具有完整链的客户端证书(正如您应该按照 RFC 那样),假设服务器请求客户端身份验证,这是不常见的,也不是 nginx(以及其他)的默认设置,您必须使用一个技巧:在 truststore 中提供客户端链所需的所有证书,此外 还需要验证服务器所需的锚点,或者显式使用 -CAfile 和/或 -CApath,或使用(如果需要,修改)默认信任库,除非您的 openssl 是较旧的非 RedHat默认信任库仅在 s_client s_server s_time 中不起作用的版本.
Through 1.0.2 if you want to send a client cert with full chain to the server (as you should per the RFCs), assuming the server requests client authentication which is not usual and not the default for nginx (among others), you have to use a trick: supply all the certs needed for the client chain in the truststore, in addition to the anchor(s) needed to verify the server, either using -CAfile and/or -CApath explicitly, or using (modifying if needed) the default truststore unless your openssl is an older non-RedHat version where the default truststore didn't work in s_client s_server s_time only.
s_server 中的服务器证书/链也是如此,除了它几乎总是使用而不是很少使用.
And the same is true about the server cert/chain in s_server except that it is used almost always instead of very rarely.
这篇关于Openssl 使用链式 CA 和链式证书进行验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
