我的叶子证书是否真的无效，或者我是否错误地使用了“openssl验证”？_Openssl_Ssl Certificate_Ecdsa

我的叶子证书是否真的无效，或者我是否错误地使用了“openssl验证”？

openssl

我的叶子证书是否真的无效，或者我是否错误地使用了“openssl验证”？,openssl,ssl-certificate,ecdsa,Openssl,Ssl Certificate,Ecdsa,我以为我正确地创建了我的叶证书（device.cert.pem），但它没有用我的软件正确验证。因此，在进一步调试软件之前，我尝试在命令行上使用OpenSSL来验证所述证书该链是：root（CN=Halo HSM CA）签名签名者（CN=Halo签名服务器0003）签名设备（CN=Halo）下面是我在命令行上调用OpenSSL的方式： $ openssl verify -show_chain -trusted <path>/devel_root.cert.pem signing_s

我以为我正确地创建了我的叶证书（

device.cert.pem

），但它没有用我的软件正确验证。因此，在进一步调试软件之前，我尝试在命令行上使用OpenSSL来验证所述证书

该链是：root（CN=Halo HSM CA）签名签名者（CN=Halo签名服务器0003）签名设备（CN=Halo）

下面是我在命令行上调用OpenSSL的方式：

$ openssl verify -show_chain -trusted <path>/devel_root.cert.pem signing_server.curly-0003.cert.pem device.cert.pem 
signing_server.curly-0003.cert.pem: OK
Chain:
depth=0: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo Signing Server 0003 (untrusted)
depth=1: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo HSM CA
C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo
error 20 at 0 depth lookup: unable to get local issuer certificate
error device.cert.pem: verification failed

和设备证书

$ openssl x509 -in device.cert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            46:f1:16:55:c4:bb:56:27:ab:36:75:00:7e:bb:60:b1
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo Signing Server 0003
        Validity
            Not Before: Sep 10 19:00:00 2019 GMT
            Not After : Dec 31 23:59:59 3000 GMT
        Subject: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:2b:dd:82:0b:59:e3:d7:c1:04:ce:d4:9c:bb:74:
                    4c:94:5c:c7:9f:41:21:b8:24:96:39:9c:43:ea:dc:
                    6a:31:7b:58:54:ee:c2:a9:b7:0f:ea:34:ef:72:45:
                    cd:2e:2e:d7:1f:0a:74:eb:79:2d:e0:5d:16:ab:89:
                    5e:a3:52:99:7a
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:A7:A9:0B:27:B4:0D:28:84:26:F0:64:70:B5:27:DD:0B:05:4A:25:46

            X509v3 Subject Key Identifier: 
                7E:0E:12:66:F0:CA:6C:D2:53:C3:0D:D3:40:6B:33:9A:91:C0:44:94
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:89:00:7e:64:03:1c:c3:8a:b1:17:30:ee:7b:
         29:41:15:95:8e:1d:98:49:87:16:67:b8:4c:fc:d4:dc:d5:af:
         c6:02:20:37:c8:09:39:ec:75:e2:4c:68:b5:b0:06:00:12:e8:
         61:57:8b:57:ce:1e:7b:b4:81:cb:e2:c0:1f:de:b5:0c:cf
-----BEGIN CERTIFICATE-----
MIICEjCCAbigAwIBAgIQRvEWVcS7VierNnUAfrtgsTAKBggqhkjOPQQDAjByMQsw
CQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMQ0wCwYDVQQHDARZb3Jr
MRowGAYDVQQKDBFSZWQgTGlvbiBDb250cm9sczEhMB8GA1UEAwwYSGFsbyBTaWdu
aW5nIFNlcnZlciAwMDAzMCAXDTE5MDkxMDE5MDAwMFoYDzMwMDAxMjMxMjM1OTU5
WjBeMQswCQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMQ0wCwYDVQQH
DARZb3JrMRowGAYDVQQKDBFSZWQgTGlvbiBDb250cm9sczENMAsGA1UEAwwESGFs
bzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCvdggtZ49fBBM7UnLt0TJRcx59B
IbgkljmcQ+rcajF7WFTuwqm3D+o073JFzS4u1x8KdOt5LeBdFquJXqNSmXqjQjBA
MB8GA1UdIwQYMBaAFKepCye0DSiEJvBkcLUn3QsFSiVGMB0GA1UdDgQWBBR+DhJm
8Mps0lPDDdNAazOakcBElDAKBggqhkjOPQQDAgNIADBFAiEAiQB+ZAMcw4qxFzDu
eylBFZWOHZhJhxZnuEz81NzVr8YCIDfICTnsdeJMaLWwBgAS6GFXi1fOHnu0gcvi
wB/etQzP
-----END CERTIFICATE-----

我还尝试将根证书和中间证书组合到一个文件中，并使用

-CAfile

参数，但结果相同

$ cp <path>/devel_root.cert.pem trusted_certs.txt
$ cat signing_server.curly-0003.cert.pem >> trusted_certs.txt 
$ openssl verify -show_chain -CAfile trusted_certs.txt device.cert.pem 
C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo
error 20 at 0 depth lookup: unable to get local issuer certificate
error device.cert.pem: verification failed

$cp/devel_root.cert.pem trusted_certs.txt
$cat signing\u server.curly-0003.cert.pem>>受信任的\u certs.txt
$openssl验证-显示\u链-CAfile trusted\u certs.txt device.cert.pem
C=美国，ST=宾夕法尼亚，L=约克，O=红狮控制，CN=光环
0深度查找时出现错误20:无法获取本地颁发者证书
错误device.cert.pem:验证失败

至少，您的设备证书与您声称颁发的证书具有错误的授权密钥标识符

发证机构：

57:55:32:

设备证书：

A7:A9:0B:

由于设备证书颁发机构密钥标识符与颁发CA使用者密钥标识符不匹配，颁发CA证书将被取消为候选证书。

该命令不会同时尝试所有证书。它找到了链003->CA，但没有找到叶->003。您需要通过其他命名参数（-CAfile，也许？）传入中间文件。我将根证书和中间证书组合到一个文本文件中，然后将该文件传递到-CAfile中，但运气不好。我将用结果更新原始问题。我还更新了原始命令和输出，以包含

-show\u chain

参数。

$ openssl x509 -in device.cert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            46:f1:16:55:c4:bb:56:27:ab:36:75:00:7e:bb:60:b1
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo Signing Server 0003
        Validity
            Not Before: Sep 10 19:00:00 2019 GMT
            Not After : Dec 31 23:59:59 3000 GMT
        Subject: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:2b:dd:82:0b:59:e3:d7:c1:04:ce:d4:9c:bb:74:
                    4c:94:5c:c7:9f:41:21:b8:24:96:39:9c:43:ea:dc:
                    6a:31:7b:58:54:ee:c2:a9:b7:0f:ea:34:ef:72:45:
                    cd:2e:2e:d7:1f:0a:74:eb:79:2d:e0:5d:16:ab:89:
                    5e:a3:52:99:7a
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:A7:A9:0B:27:B4:0D:28:84:26:F0:64:70:B5:27:DD:0B:05:4A:25:46

            X509v3 Subject Key Identifier: 
                7E:0E:12:66:F0:CA:6C:D2:53:C3:0D:D3:40:6B:33:9A:91:C0:44:94
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:89:00:7e:64:03:1c:c3:8a:b1:17:30:ee:7b:
         29:41:15:95:8e:1d:98:49:87:16:67:b8:4c:fc:d4:dc:d5:af:
         c6:02:20:37:c8:09:39:ec:75:e2:4c:68:b5:b0:06:00:12:e8:
         61:57:8b:57:ce:1e:7b:b4:81:cb:e2:c0:1f:de:b5:0c:cf
-----BEGIN CERTIFICATE-----
MIICEjCCAbigAwIBAgIQRvEWVcS7VierNnUAfrtgsTAKBggqhkjOPQQDAjByMQsw
CQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMQ0wCwYDVQQHDARZb3Jr
MRowGAYDVQQKDBFSZWQgTGlvbiBDb250cm9sczEhMB8GA1UEAwwYSGFsbyBTaWdu
aW5nIFNlcnZlciAwMDAzMCAXDTE5MDkxMDE5MDAwMFoYDzMwMDAxMjMxMjM1OTU5
WjBeMQswCQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMQ0wCwYDVQQH
DARZb3JrMRowGAYDVQQKDBFSZWQgTGlvbiBDb250cm9sczENMAsGA1UEAwwESGFs
bzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCvdggtZ49fBBM7UnLt0TJRcx59B
IbgkljmcQ+rcajF7WFTuwqm3D+o073JFzS4u1x8KdOt5LeBdFquJXqNSmXqjQjBA
MB8GA1UdIwQYMBaAFKepCye0DSiEJvBkcLUn3QsFSiVGMB0GA1UdDgQWBBR+DhJm
8Mps0lPDDdNAazOakcBElDAKBggqhkjOPQQDAgNIADBFAiEAiQB+ZAMcw4qxFzDu
eylBFZWOHZhJhxZnuEz81NzVr8YCIDfICTnsdeJMaLWwBgAS6GFXi1fOHnu0gcvi
wB/etQzP
-----END CERTIFICATE-----

$ cp <path>/devel_root.cert.pem trusted_certs.txt
$ cat signing_server.curly-0003.cert.pem >> trusted_certs.txt 
$ openssl verify -show_chain -CAfile trusted_certs.txt device.cert.pem 
C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo
error 20 at 0 depth lookup: unable to get local issuer certificate
error device.cert.pem: verification failed

    X509v3 extensions:
        X509v3 Basic Constraints: critical
            CA:TRUE, pathlen:0
        X509v3 Key Usage: critical
            Digital Signature, Certificate Sign, CRL Sign
        X509v3 Subject Key Identifier: 
            57:55:32:18:99:54:20:30:1C:73:6F:08:46:0C:C9:86:EC:F6:E8:DB

    X509v3 extensions:
        X509v3 Authority Key Identifier: 
            keyid:A7:A9:0B:27:B4:0D:28:84:26:F0:64:70:B5:27:DD:0B:05:4A:25:46