无法打开SSL验证SSL证书
我想做的是: 使用无法打开SSL验证SSL证书,ssl,openssl,ldap,ssl-certificate,ubuntu-14.04,Ssl,Openssl,Ldap,Ssl Certificate,Ubuntu 14.04,我想做的是: 使用openssl获得干净的连接-连接到远程站点 该网站似乎是自签名的 What I'm getting: CONNECTED(00000003) depth=0 CN = DC01.home.pri verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = DC01.home.pri verify error:num=27:certificate not trus
openssl获得干净的连接-连接到远程站点
该网站似乎是自签名的
What I'm getting: CONNECTED(00000003)
depth=0 CN = DC01.home.pri
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=21:unable to verify the first certificate
verify return:1
...
...
Verify return code: 21 (unable to verify the first certificate)
我所尝试的:
echo -n | openssl s_client -connect DC01.home.pri:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
echo -n | openssl s_client -connect DC01.home.pri:636 -CAfile ldapserver.pem
sudo cp ldapserver.pem /etc/ssl/certs/ldapserver.pem
sudo c_rehash /etc/ssl/certs/
echo -n | openssl s_client -connect dc01.home.pri:636 -CApath /etc/ssl/certs/
我也试过了
openssl verify -CAfile /etc/ssl/certs/ldapserver.pem ldapserver.pem
openssl verify -CApath /etc/ssl/certs/ ldapserver.pem
结果
ldapserver.pem: CN = DC01.home.pri
error 20 at 0 depth lookup:unable to get local issuer certificate
我已更改CN/主机名以保护自己。但主机名也会添加到我的主机文件中,以防有所帮助
删失的PEM文件
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
64:c7:48:64:00:00:00:00:00:d0
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=pri, DC=home, CN=home-HOMECA-CA
Validity
Not Before: Mar 7 22:41:45 2015 GMT
Not After : Mar 6 22:41:45 2016 GMT
Subject: CN=DC01.home.pri
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
<CENSORED>
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.20.2:
. .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
S/MIME Capabilities:
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
X509v3 Subject Alternative Name:
othername:<unsupported>, DNS:DC01.home.pri
X509v3 Subject Key Identifier:
<CENSORED>
X509v3 Authority Key Identifier:
keyid:<CENSORED>
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=home-HOMECA-CA,CN=HOMECA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://homeca.home.pri/CertEnroll/home-HOMECA-CA.crl
Authority Information Access:
CA Issuers - URI:ldap:///CN=home-CA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?cACertificate?base?objectClass=certificationAuthority
Signature Algorithm: sha1WithRSAEncryption
<CENSORED>
证书:
数据:
版本:3(0x2)
序列号:
64:c7:48:64:00:00:00:00:d0
签名算法:Sha1WithRSA加密
发卡机构:DC=pri,DC=home,CN=home HOMECA
有效性
不在:2015年3月7日22:41:45 GMT之前
不在:2016年3月6日22:41:45 GMT之后
主题:CN=DC01.home.pri
主题公钥信息:
公钥算法:rsa加密
公钥:(1024位)
模数:
指数:65537(0x100001)
X509v3扩展:
1.3.6.1.4.1.311.20.2:
. .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
X509v3扩展密钥用法:
TLS Web客户端身份验证、TLS Web服务器身份验证
X509v3密钥用法:
数字签名、密钥加密
S/MIME功能:
…0…`.H.e...*0…`.H.e..0…`.H.e..0…`.H.e..0…+..0
..*.H。。
X509v3受试者备选名称:
其他名称:,DNS:DC01.home.pri
X509v3主题密钥标识符:
X509v3授权密钥标识符:
密钥ID:
X509v3 CRL分配点:
全名:
URI:ldap:///CN=home-HOMECA-CA,CN=HOMECA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?CertificateRelationList?base?objectClass=crldDistributionPoint
URI:http://homeca.home.pri/CertEnroll/home-HOMECA-CA.crl
权限信息访问:
CA发行人-URI:ldap:///CN=home-CA-CA,CN=AIA,CN=Public%20密钥%20服务,CN=Services,CN=Configuration,DC=home,DC=pri?cACertificate?base?objectClass=certificationAuthority
签名算法:Sha1WithRSA加密
您发布的证书不是自签名的;发卡机构(DC=pri,DC=home,CN=home-HOMECA
)与主题不同(CN=DC01.home.pri
)
验证证书时,OpenSSL无法找到用于验证签名的颁发者(或TLS握手期间从web服务器接收的链中第一个证书的颁发者)的本地证书
您需要提供openssl验证
颁发者证书(或将其存放在您的信任存储中):
openssl验证-CApath/etc/ssl/certs/.pem
站点似乎是自签名的,还是站点是自签名的?你能发布ldapserver.pem吗?添加了经过审查的pem文件。除非你指的是Base64,否则我不能粘贴它,因为它是不同的主机名,以保护相关人员。我已经更改了主机名和颁发者名称以符合主题。我希望可以绕过颁发者验证,并使用pem验证服务器。我最终获得了CA证书,似乎这就是解决方案。
openssl verify -CApath /etc/ssl/certs/<issuer-cert>.pem