Openssl 证书验证返回错误:无法获取颁发者证书
我已经创建了终结点证书,并与我的中间用户进行了签名: 用中间符号标记终点Openssl 证书验证返回错误:无法获取颁发者证书,openssl,ssl-certificate,x509,Openssl,Ssl Certificate,X509,我已经创建了终结点证书,并与我的中间用户进行了签名: 用中间符号标记终点 openssl x509 -req -days 3650 -CAcreateserial -CA ../intermediate.crt -CAkey ../intermediate.key.insecure -in server.csr -out server.crt -sha256 我的服务器csr: Certificate Request: Data: Version: 0 (0x0)
openssl x509 -req -days 3650 -CAcreateserial -CA ../intermediate.crt -CAkey ../intermediate.key.insecure -in server.csr -out server.crt -sha256
我的服务器csr:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IL, L=Default City, O=mysrvr, OU=666, CN=www.mysrvr.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:.:b2:4d
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
49:e0:.:.:27:be
openssl x509 -in intermediate_AE.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:22:33:44:55:66:77:90
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=S1, L=Default City, O=SIP, OU=SIPCA, CN=rootca
Validity
Not Before: Apr 23 11:39:29 2018 GMT
Not After : Apr 20 11:39:29 2028 GMT
Subject: C=AU, O=Default Company Ltd, OU=666, CN=intermediate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d1:.:.:fb:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
FE:C5:C3:99:D4:05:71:5B:C6:68:95:D0:29:4F:6C:46:CB:C0:4E:3D
X509v3 Authority Key Identifier:
keyid:96:D5:C4:D5:CD:B3:88:D4:90:89:AA:F2:FC:D8:86:8B:DE:70:6F:42
Signature Algorithm: sha1WithRSAEncryption
42:e7:..:..:..:d0:2d
openssl verify -CAfile intermediate.crt server.crt
server.crt: C = AU, O = Default Company Ltd, OU = 666, CN = intermediate
error 2 at 1 depth lookup:unable to get issuer certificate
我的中间crt:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IL, L=Default City, O=mysrvr, OU=666, CN=www.mysrvr.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:.:b2:4d
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
49:e0:.:.:27:be
openssl x509 -in intermediate_AE.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:22:33:44:55:66:77:90
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=S1, L=Default City, O=SIP, OU=SIPCA, CN=rootca
Validity
Not Before: Apr 23 11:39:29 2018 GMT
Not After : Apr 20 11:39:29 2028 GMT
Subject: C=AU, O=Default Company Ltd, OU=666, CN=intermediate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d1:.:.:fb:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
FE:C5:C3:99:D4:05:71:5B:C6:68:95:D0:29:4F:6C:46:CB:C0:4E:3D
X509v3 Authority Key Identifier:
keyid:96:D5:C4:D5:CD:B3:88:D4:90:89:AA:F2:FC:D8:86:8B:DE:70:6F:42
Signature Algorithm: sha1WithRSAEncryption
42:e7:..:..:..:d0:2d
openssl verify -CAfile intermediate.crt server.crt
server.crt: C = AU, O = Default Company Ltd, OU = 666, CN = intermediate
error 2 at 1 depth lookup:unable to get issuer certificate
当我尝试验证我得到的签名时:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IL, L=Default City, O=mysrvr, OU=666, CN=www.mysrvr.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:.:b2:4d
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
49:e0:.:.:27:be
openssl x509 -in intermediate_AE.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:22:33:44:55:66:77:90
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=S1, L=Default City, O=SIP, OU=SIPCA, CN=rootca
Validity
Not Before: Apr 23 11:39:29 2018 GMT
Not After : Apr 20 11:39:29 2028 GMT
Subject: C=AU, O=Default Company Ltd, OU=666, CN=intermediate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d1:.:.:fb:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
FE:C5:C3:99:D4:05:71:5B:C6:68:95:D0:29:4F:6C:46:CB:C0:4E:3D
X509v3 Authority Key Identifier:
keyid:96:D5:C4:D5:CD:B3:88:D4:90:89:AA:F2:FC:D8:86:8B:DE:70:6F:42
Signature Algorithm: sha1WithRSAEncryption
42:e7:..:..:..:d0:2d
openssl verify -CAfile intermediate.crt server.crt
server.crt: C = AU, O = Default Company Ltd, OU = 666, CN = intermediate
error 2 at 1 depth lookup:unable to get issuer certificate
我的问题:我的命令/中间层阻止正确的链有什么问题?OpenSSL尝试构建一个链,一直返回到自签名根证书。仅信任中间层本身是不够的,除非您还提供标志“-partial_chain”,即尝试以下操作:
openssl verify -partial_chain -CAfile intermediate.crt server.crt
或者,您应该一直提供证书到根证书
openssl verify -CAfile rootCA.cert -untrusted intermediate.crt server.crt
或者,如果要显式信任中间CA,可以将根CA和中间CA连接到单个文件中:
openssl verify -CAfile rootAndInter.crt server.crt
OpenSSL试图构建一条链,一直追溯到自签名根证书。仅信任中间证书本身是不够的,除非您还提供“partial_chain”标志,即尝试以下操作:
openssl verify -partial_chain -CAfile intermediate.crt server.crt
或者,您应该一直提供证书到根证书
openssl verify -CAfile rootCA.cert -untrusted intermediate.crt server.crt
或者,如果要显式信任中间CA,可以将根CA和中间CA连接到单个文件中:
openssl verify -CAfile rootAndInter.crt server.crt