OpenSSL生成证书链 [英] OpenSSL generate certificate chain

问题描述

我发现这项服务 https://whatsmychaincert.com/ 生成链（带有根）粘贴证书。

I found this service https://whatsmychaincert.com/ that generate a chain (with the root) by pasting a certificate.

有什么办法可以用OpenSSL生成链？

There is any way for generate the chain with OpenSSL?

我找到了这个命令：

openssl s_client -connect example.com:443 -showcerts

显示所有证书链，但要求证书已在线。

that show all certificate chain, but requires that the certificate is already online.

有任何方法可以使用本地文件证书生成链？

there is any way for generate the chain with a local file certificate?

推荐答案

s_client -showcerts 显示服务器提供的链 ;这个应该是完整的链，可选择少根，但是因为该网站说某些服务器配置不正确。它还有一个链接如何工作，正如人们所期望的那样解释它是如何工作的：

s_client -showcerts shows the chain as provided by the server; this should be the full chain optionally less root, but as that website says some servers aren't configured correctly. It also has a link "How does this work" which as one might expect explains how it works:

mkcertchain是一个用于构建SSL证书的中间证书链
。它从证书的CA Issuers字段中指定的URL
下载链证书，重复出现，直到
遇到在所有主要浏览器中都信任的根证书。
如果找到多个证书链，则使用最短的证书链。

mkcertchain is a utility for building a chain of intermediate certificates for an SSL certificate. It downloads the chain certificate from the URL specified in the certificate's "CA Issuers" field, recurring until encountering a root certificate that's trusted in all major browsers. If multiple certificate chains are found, the shortest one is used.

给定文件中的起始证书，或者可输出通过某些程序（例如数据库查询），无论是PEM还是'DER'（二进制）格式， openssl x509 -text [-inform pem | der] 输出全部包括'CA Issuers'在内的证书数据。任何数量的文本处理程序，如awk，perl，grep，shell，如bash或PowerShell，都应该能够提取该行及其值，因为它通常是http :,任意数量的HTTP请求程序，如curl并且wget可以获取证书。任何脚本语言（如perl，shell或PowerShell）都可以根据需要迭代此过程，通过比较Subject和Issuer来阻止root命中。如果你想停在一个不太复杂的根的锚点，但我认为主流浏览器目前不接受任何这样的锚点，因此不需要为了构建一个被接受的链条通过浏览器。

Given a starting cert in a file, or outputtable by some program (such as perhaps a database query), in either PEM or 'DER' (binary) format, openssl x509 -text [-inform pem|der] outputs all of the cert data including 'CA Issuers'. Any number of text-handling programs like awk, perl, grep, shells such as bash, or PowerShell, should be able to extract that line and its value, and since it is normally http:, any number of HTTP-request programs like curl and wget can fetch the cert. Any scripting language like perl, shell or PowerShell can iterate this process as needed, stopping when a root is hit by comparing Subject and Issuer. If you want to stop at an anchor that is not a root that's a little more complicated, but I don't think any such anchors are currently accepted by major browsers, thus aren't needed for the purpose of building a chain to be accepted by browsers.

FWIW，即使您的证书 在AIA中没有CA Issuers字段，大多数公共CA包括中间体现在已经由证书透明度日志捕获，可在 https://crt.sh 上轻松搜索;你可以通过单击链接轻松浏览链，所以我没有想过尝试自动化它，虽然可能是驱动或模拟网页浏览器与网站交互的众多工具可以在这里工作。

FWIW, even if your certs don't have the CA Issuers field in AIA, most public CAs including intermediates have now been captured by the certificate transparency logs, which are easily searchable at https://crt.sh ; you can easily navigate through the chain just by clicking links so I haven't thought about trying to automate it, although presumably the numerous tools that 'drive' or simulate a web browser to interact with a website would work here.

当然，首先颁发证书的CA应始终能够提供所需的链证书;这是他们工作的一部分。

And of course, the CA that issued your cert in the first place should always be able to supply the needed chain certs; it's part of their job.

这篇关于OpenSSL生成证书链的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！