Fatal编程技术网
  • openssl/
  • Linux下的openSSL证书验证

Linux下的openSSL证书验证

openssl

Linux下的openSSL证书验证,openssl,Openssl,JKJS 我有一系列证书: rcert.pem(自签名)-->scert.pem-->ccert.pem 所有三个证书都是由我生成的。任何地方都没有使用互联网连接。这是完美的脱机工作。 下面是一些命令及其输出: hari@harikrishna:~/hari$ openssl verify rcert.pem rcert.pem: C = IN, ST = OM, L = OM, O = HARI, OU = HARI, CN = OM, emailAddress = OM error 18 a

JKJS

我有一系列证书: rcert.pem(自签名)-->scert.pem-->ccert.pem

所有三个证书都是由我生成的。任何地方都没有使用互联网连接。这是完美的脱机工作。 下面是一些命令及其输出:

hari@harikrishna:~/hari$ openssl verify rcert.pem
rcert.pem: C = IN, ST = OM, L = OM, O = HARI, OU = HARI, CN = OM, emailAddress = OM
error 18 at 0 depth lookup:self signed certificate
OK
hari@harikrishna:~/hari$ openssl verify -CAfile rcert.pem scert.pem
scert.pem: OK
hari@harikrishna:~/hari$ openssl verify -CAfile rcert.pem rcert.pem
rcert.pem: OK
hari@harikrishna:~/hari$ openssl verify -CAfile rcert.pem -untrusted scert.pem ccert.pem
ccert.pem: C = IN, ST = HARI, L = HARI, O = HARI, OU = HARI, CN = HARI, emailAddress = HARI
error 24 at 1 depth lookup:invalid CA certificate
OK
为什么会创建错误24。如何删除它?它是可信的还是不可信的

谢谢。

JKJS

得到了我自己问题的答案:

1) 通过以下命令创建根CA证书:

openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem

openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out rootcert.pem

sudo mkdir /usr/share/ca-certificates/extra

sudo cp rootcert.pem /usr/share/ca-certificates/extra/rootcert.crt

sudo dpkg-reconfigure ca-certificates

sudo update-ca-certificates

openssl req -newkey rsa:1024 -sha1 -keyout skey.pem -out sreq.pem

sudo openssl x509 -req -in sreq.pem -sha1 -CA /etc/ssl/certs/rootcert.pem -CAkey rootkey.pem -CAcreateserial -out scert.pem

openssl req -newkey rsa:1024 -sha1 -keyout ckey.pem -out creq.pem

openssl x509 -req -in creq.pem -sha1 -CA scert.pem -CAkey skey.pem -CAcreateserial -out ccert.pem
2) 通过以下命令将CA证书安装为受信任证书:

openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem

openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out rootcert.pem

sudo mkdir /usr/share/ca-certificates/extra

sudo cp rootcert.pem /usr/share/ca-certificates/extra/rootcert.crt

sudo dpkg-reconfigure ca-certificates

sudo update-ca-certificates

openssl req -newkey rsa:1024 -sha1 -keyout skey.pem -out sreq.pem

sudo openssl x509 -req -in sreq.pem -sha1 -CA /etc/ssl/certs/rootcert.pem -CAkey rootkey.pem -CAcreateserial -out scert.pem

openssl req -newkey rsa:1024 -sha1 -keyout ckey.pem -out creq.pem

openssl x509 -req -in creq.pem -sha1 -CA scert.pem -CAkey skey.pem -CAcreateserial -out ccert.pem
3) 通过以下命令创建了由根CA签名的中间证书:

openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem

openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out rootcert.pem

sudo mkdir /usr/share/ca-certificates/extra

sudo cp rootcert.pem /usr/share/ca-certificates/extra/rootcert.crt

sudo dpkg-reconfigure ca-certificates

sudo update-ca-certificates

openssl req -newkey rsa:1024 -sha1 -keyout skey.pem -out sreq.pem

sudo openssl x509 -req -in sreq.pem -sha1 -CA /etc/ssl/certs/rootcert.pem -CAkey rootkey.pem -CAcreateserial -out scert.pem

openssl req -newkey rsa:1024 -sha1 -keyout ckey.pem -out creq.pem

openssl x509 -req -in creq.pem -sha1 -CA scert.pem -CAkey skey.pem -CAcreateserial -out ccert.pem
4) 通过以下命令创建了由中间CA签名的客户端证书:

openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem

openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out rootcert.pem

sudo mkdir /usr/share/ca-certificates/extra

sudo cp rootcert.pem /usr/share/ca-certificates/extra/rootcert.crt

sudo dpkg-reconfigure ca-certificates

sudo update-ca-certificates

openssl req -newkey rsa:1024 -sha1 -keyout skey.pem -out sreq.pem

sudo openssl x509 -req -in sreq.pem -sha1 -CA /etc/ssl/certs/rootcert.pem -CAkey rootkey.pem -CAcreateserial -out scert.pem

openssl req -newkey rsa:1024 -sha1 -keyout ckey.pem -out creq.pem

openssl x509 -req -in creq.pem -sha1 -CA scert.pem -CAkey skey.pem -CAcreateserial -out ccert.pem
现在,信任链运行良好:

1) 根CA的验证

openssl verify rootcert.pem 
rootcert.pem: OK
2) 中间CA的验证

openssl verify scert.pem 
scert.pem: OK
3) 验证客户证书

openssl verify -CAfile scert.pem ccert.pem
ccert.pem: OK
在找到解决方案方面做得很好。一个很好的完整的迷你教程。对于那些现在发现这一点的人,请将其更改为2048字节和sha256,因为它们现在更常见。警告,上面的证书链验证命令比您预期的更为宽松!默认情况下,除了检查给定的CAfile外,他们还检查系统证书目录中是否有任何匹配的CA,例如/etc/ssl/certs。为了防止这种行为并确保您正在检查您的特定CA证书,还可以通过一个不存在的目录传递-CApath选项,例如:“openssl verify-CApath nosuchdir-CAfile scert.pem ccert.pem”这很酷,可以在linux上运行。但是如何在mac上安装根证书??