跟服务器证书和证书链,如何使用中间和根CA证书链接SSL服务器证书？

我以为我明白了，但它没有用！

背景：

Comodo便宜的PositiveSSL服务器证书带有一个root和两个中间CA证书(我用myserver.com替换了我的FQDN)：

$ unzip ../myserver_com.commodo.certificate.zip

Archive: ../myserver_com.commodo.certificate.zip

extracting: AddTrustExternalCARoot.crt

extracting: COMODORSAAddTrustCA.crt

extracting: COMODORSADomainValidationSecureServerCA.crt

extracting: myserver_com.crt

请注意，字母顺序类似于从根CA到服务器证书的反向证书链。根CA不是Comodo，但这不是重点。

考虑以下输出：

openssl x509 -noout -subject -issuer -in myserver_com.crt

subject= /OU=Domain Control Validated/OU=PositiveSSL/CN=myserver.com

issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

openssl x509 -noout -subject -issuer -in COMODORSADomainValidationSecureServerCA.crt

subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

openssl x509 -noout -subject -issuer -in COMODORSAAddTrustCA.crt

subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

openssl x509 -noout -subject -issuer -in AddTrustExternalCARoot.crt

subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

前证书的颁发者是后者的主题 - 直到来自AddTrust AB的根CA证书是自签名的。链条完整。

验证单个证书可以：

$ openssl verify *.crt

AddTrustExternalCARoot.crt: OK

COMODORSAAddTrustCA.crt: OK

COMODORSADomainValidationSecureServerCA.crt: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA

error 20 at 0 depth lookup:unable to get local issuer certificate

myserver_com.crt: OU = Domain Control Validated, OU = PositiveSSL, CN = myserver.com

error 20 at 0 depth lookup:unable to get local issuer certificate

服务器上已经安装了前两个证书，这两个证书会连接两个证书，但无论如何我都将它们链接起来。

certificate_list

This is a sequence (chain) of certificates. The sender's

certificate MUST come first in the list. Each following

certificate MUST directly certify the one preceding it. Because

certificate validation requires that root keys be distributed

independently, the self-signed certificate that specifies the root

certificate authority MAY be omitted from the chain, under the

assumption that the remote end must already possess it in order to

validate it in any case.

当我以正确的方式链接时，证书被识别为TLS会话的服务器证书，但未经过验证。

$ cat myserver_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > chained.crt

$ openssl verify chained.crt

chained.crt: OU = Domain Control Validated, OU = PositiveSSL, CN = das.email

error 20 at 0 depth lookup:unable to get local issuer certificate

使用连接服务器时

$ openssl s_client -crlf -connect myserver:465

证书被接受并且链被识别，但根证书未被识别为可信任，尽管它存在于/ etc / ssl / mozilla /中的受信任证书中。

我错过了什么？我可以简单地忽略命令行openssl工具中的错误吗？