openssl verify会做你想要什么,如果你想有一个简单的工具:
从运行:
cd /usr/share/ca-certificates
find . -type f -exec openssl -verify {} \;
这里有一个选择的输出:
./telesec.de/deutsche-telekom-root-ca-2.crt: OK
./brasil.gov.br/brasil.gov.br.crt: OK
./cacert.org/cacert.org.crt: OK
./spi-inc.org/spi-ca-2003.crt: /C=US/ST=Indiana/L=Indianapolis/O=Software in the Public Interest/OU=hostmaster/CN=Certification Authority/[email protected]
error 10 at 0 depth lookup:certificate has expired
OK
./spi-inc.org/spi-cacert-2008.crt: OK
./signet.pl/signet_ocspklasa3_pem.crt: /C=PL/O=TP Internet Sp. z o.o./CN=CC Signet - CA Klasa 3/serialNumber=Numer wpisu: 4
error 2 at 1 depth lookup:unable to get issuer certificate
./signet.pl/signet_ca3_pem.crt: /C=PL/O=TP Internet Sp. z o.o./CN=CC Signet - CA Klasa 3/serialNumber=Numer wpisu: 4
error 20 at 0 depth lookup:unable to get local issuer certificate
如果你愿意而是在一个更大的程序中得到结果,或许gnutls_x509_crt_verify(3),gnutls_x509_crt_get_key_usage(3),gnutls_x509_crt_check_revocation(3)接口比OpenSSL更容易使用。 (我从未使用gnutls,但我使用已使用OpenSSL。)