如何使用openssl验证DER证书？_Ssl_Openssl - Fatal编程技术网

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/ssl/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
如何使用openssl验证DER证书？_Ssl_Openssl - Fatal编程技术网

如何使用openssl验证DER证书？

ssl openssl

如何使用openssl验证DER证书？,ssl,openssl,Ssl,Openssl,PEM很好用 openssl verify -CAfile CA/ca.crt leaf.cert.pem 但是无法验证使用openssl x509-in-leaf.cert.pem-outform DER-out-leaf.cert.DER生成的DER openssl verify -CAfile CA/ca.crt leaf.cert.der 产生 unable to load certificate 4613703104:error:0909006C:PEM routines:get_

PEM很好用

openssl verify -CAfile CA/ca.crt leaf.cert.pem

但是无法验证使用

openssl x509-in-leaf.cert.pem-outform DER-out-leaf.cert.DER

生成的DER

openssl verify -CAfile CA/ca.crt leaf.cert.der

产生

unable to load certificate
4613703104:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

openssl验证

不接受

-通知der

作为其他openssl命令

这是否意味着无法直接验证DER，我需要将其转换为PEM，然后进行验证？

人们通常使用管道将一个命令的输出传输到另一个命令

因此，要验证DER格式，您可以执行以下操作：

openssl x509 -inform der -in .\leaf.cert.cer -outform pem | openssl
verify -CAfile CA/ca.crt

这假设“leaf.cert.cer”是DER格式，“CA/CA.crt”是PEM格式

要分解它：

openssl x509 -inform der -in .\leaf.cert.cer -outform pem

将DER证书转换为PEM格式，并将输出转换为标准输出

openssl verify -CAfile CA/ca.crt

验证来自stdin的PEM证书

您可以将这两个命令与管道“|”命令相结合，该命令将第一个命令的stdout管道化到第二个命令的stdin。

人们通常使用管道将一个命令的输出管道化到另一个命令

因此，要验证DER格式，您可以执行以下操作：

openssl x509 -inform der -in .\leaf.cert.cer -outform pem | openssl
verify -CAfile CA/ca.crt

这假设“leaf.cert.cer”是DER格式，“CA/CA.crt”是PEM格式

要分解它：

openssl x509 -inform der -in .\leaf.cert.cer -outform pem

将DER证书转换为PEM格式，并将输出转换为标准输出

openssl verify -CAfile CA/ca.crt

验证来自stdin的PEM证书

然后将这两个命令与管道“|”命令相结合，该命令将标准输出从第一个命令传输到第二个命令的标准输入。

创建bash脚本以检查证书状态。如果需要，转换为PEM格式

#!/bin/bash

#
# Check certificate revocation status.
# Convert certificate to PEM format if needed.

CERT=$1

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"

CERT_PEM_TMP=$(mktemp  -p $DIR -t "cert_pem.XXXXXXXXXX")
ISSUER_CRT_TMP=$(mktemp  -p $DIR -t "issuer_crt.XXXXXXXXXX")
ISSUER_PEM_TMP=$(mktemp  -p $DIR -t "issuer_pem.XXXXXXXXXX")


cert_to_pem () {
    _CertFn=$1
    _PemCertFn=$2
    _Res=$(grep -c '\-\-BEGIN CERTIFICATE\-\-' $_CertFn)
    echo "is_pem RES: $_Res"
    if [ $_Res == "0" ]; then
        echo "DER format"
        openssl x509 -inform DER -in $_CertFn -out $_PemCertFn
    else
        ech "PEM Format"
        openssl x509 -inform PEM -in $_CertFn -out $_PemCertFn
    fi
}

cert_to_pem $CERT $CERT_PEM_TMP

CRT_URI=$( openssl x509 -in $CERT_PEM_TMP -text -noout | grep 'CA Issuers' | sed -e "s/^.*CA Issuers - URI://" )
echo "CRT_URI: $CRT_URI"
curl --silent $CRT_URI > $ISSUER_CRT_TMP
#./export_to_pem.tcl $ISSUER_CRT_TMP $ISSUER_PEM_TMP
cert_to_pem $ISSUER_CRT_TMP $ISSUER_PEM_TMP

OSCP_URI=$(openssl x509 -in $CERT_PEM_TMP -ocsp_uri -noout)
OSCP_HOST=$(echo $OSCP_URI | sed -e 's|^[^/]*//||' -e 's|/.*$||')

echo "check certificate: $CERT"
echo "ISSUER_PEM_TMP: $ISSUER_PEM_TMP"
echo "CERT_PEM_TMP: $CERT_PEM_TMP"
echo "OSCP_URI: $OSCP_URI"
echo "OSCP_HOST: $OSCP_HOST"
echo "Server response:"
openssl ocsp -no_nonce -issuer $ISSUER_PEM_TMP -cert $CERT_PEM_TMP -url   $OSCP_URI -header Host=$OSCP_HOST

echo "Server response end:"
rm $CERT_PEM_TMP
rm $ISSUER_CRT_TMP
rm $ISSUER_PEM_TMP

创建bash脚本以检查证书状态。如果需要，转换为PEM格式

#!/bin/bash

#
# Check certificate revocation status.
# Convert certificate to PEM format if needed.

CERT=$1

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"

CERT_PEM_TMP=$(mktemp  -p $DIR -t "cert_pem.XXXXXXXXXX")
ISSUER_CRT_TMP=$(mktemp  -p $DIR -t "issuer_crt.XXXXXXXXXX")
ISSUER_PEM_TMP=$(mktemp  -p $DIR -t "issuer_pem.XXXXXXXXXX")


cert_to_pem () {
    _CertFn=$1
    _PemCertFn=$2
    _Res=$(grep -c '\-\-BEGIN CERTIFICATE\-\-' $_CertFn)
    echo "is_pem RES: $_Res"
    if [ $_Res == "0" ]; then
        echo "DER format"
        openssl x509 -inform DER -in $_CertFn -out $_PemCertFn
    else
        ech "PEM Format"
        openssl x509 -inform PEM -in $_CertFn -out $_PemCertFn
    fi
}

cert_to_pem $CERT $CERT_PEM_TMP

CRT_URI=$( openssl x509 -in $CERT_PEM_TMP -text -noout | grep 'CA Issuers' | sed -e "s/^.*CA Issuers - URI://" )
echo "CRT_URI: $CRT_URI"
curl --silent $CRT_URI > $ISSUER_CRT_TMP
#./export_to_pem.tcl $ISSUER_CRT_TMP $ISSUER_PEM_TMP
cert_to_pem $ISSUER_CRT_TMP $ISSUER_PEM_TMP

OSCP_URI=$(openssl x509 -in $CERT_PEM_TMP -ocsp_uri -noout)
OSCP_HOST=$(echo $OSCP_URI | sed -e 's|^[^/]*//||' -e 's|/.*$||')

echo "check certificate: $CERT"
echo "ISSUER_PEM_TMP: $ISSUER_PEM_TMP"
echo "CERT_PEM_TMP: $CERT_PEM_TMP"
echo "OSCP_URI: $OSCP_URI"
echo "OSCP_HOST: $OSCP_HOST"
echo "Server response:"
openssl ocsp -no_nonce -issuer $ISSUER_PEM_TMP -cert $CERT_PEM_TMP -url   $OSCP_URI -header Host=$OSCP_HOST

echo "Server response end:"
rm $CERT_PEM_TMP
rm $ISSUER_CRT_TMP
rm $ISSUER_PEM_TMP

[openssl]相关文章推荐

随机文章推荐