查找证书是自签名还是CA签名 [英] Find if a certificate is self signed or CA signed

问题描述

我有一个网络应用，允许用户上传pkcs12。我将pkcs12存储为数据库中的二进制文件。有什么方法可以让我知道pkcs12中的证书是自签名还是CA签名？

I have a web app, which allows user to upload pkcs12. I store the pkcs12 as binary in database. Is there any way for me to know if the certificate in the pkcs12 is self signed or CA signed?

我在tomcat上运行一个Java Web应用程序并且在我的网站上有openssl处理。

I am running a Java web app on tomcat and have openssl at my disposal.

推荐答案

这有点hacky，但 openssl x509 命令可以报​​告发行人和主题。如果主体和发行人是相同的，则是自签名的;如果它们不同，那么它是由CA签署的。 （严格来说，许多自签名证书也由CA签署 - 他们自己。）

It's a bit hacky, but the openssl x509 command can report both the issuer and the subject. If the subject and issuer are the same, it is self-signed; if they are different, then it was signed by a CA. (Strictly speaking, a great many self-signed certificates are also signed by a CA -- themselves.)

在测试这个理论时，我进行了一些测试;它运行如下：

While testing this theory, I ran a handful of tests; it runs something like:

cd /etc/ssl/certs
for f in *.0 ; do openssl x509 -in $f -issuer | head -1 > /tmp/$f.issuer ; openssl x509 -in $f -subject | head -1 > /tmp/$f.subject ; done
 cd /tmp
 sed -i -e s/issuer=// *.issuer
 sed -i -e s/subject=// *.subject
 cd /etc/ssl/certs/
 for f in *.0 ; do diff -u /tmp/$f.issuer /tmp/$f.subject ; done

希望这会有所帮助。

这篇关于查找证书是自签名还是CA签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！