我以为我明白了,但它没有用!
背景:
Comodo便宜的PositiveSSL服务器证书带有一个root和两个中间CA证书(我用myserver.com替换了我的FQDN):
$ unzip ../myserver_com.commodo.certificate.zip
Archive: ../myserver_com.commodo.certificate.zip
extracting: AddTrustExternalCARoot.crt
extracting: COMODORSAAddTrustCA.crt
extracting: COMODORSADomainValidationSecureServerCA.crt
extracting: myserver_com.crt
请注意,字母顺序类似于从根CA到服务器证书的反向证书链。根CA不是Comodo,但这不是重点。
考虑以下输出:
openssl x509 -noout -subject -issuer -in myserver_com.crt
subject= /OU=Domain Control Validated/OU=PositiveSSL/CN=myserver.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
openssl x509 -noout -subject -issuer -in COMODORSADomainValidationSecureServerCA.crt
subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
openssl x509 -noout -subject -issuer -in COMODORSAAddTrustCA.crt
subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
openssl x509 -noout -subject -issuer -in AddTrustExternalCARoot.crt
subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
前证书的颁发者是后者的主题 - 直到来自AddTrust AB的根CA证书是自签名的。链条完整。
验证单个证书可以:
$ openssl verify *.crt
AddTrustExternalCARoot.crt: OK
COMODORSAAddTrustCA.crt: OK
COMODORSADomainValidationSecureServerCA.crt: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
error 20 at 0 depth lookup:unable to get local issuer certificate
myserver_com.crt: OU = Domain Control Validated, OU = PositiveSSL, CN = myserver.com
error 20 at 0 depth lookup:unable to get local issuer certificate
服务器上已经安装了前两个证书,这两个证书会连接两个证书,但无论如何我都将它们链接起来。
certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to
validate it in any case.
当我以正确的方式链接时,证书被识别为TLS会话的服务器证书,但未经过验证。
$ cat myserver_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > chained.crt
$ openssl verify chained.crt
chained.crt: OU = Domain Control Validated, OU = PositiveSSL, CN = das.email
error 20 at 0 depth lookup:unable to get local issuer certificate
使用连接服务器时
$ openssl s_client -crlf -connect myserver:465
证书被接受并且链被识别,但根证书未被识别为可信任,尽管它存在于/ etc / ssl / mozilla /中的受信任证书中。
我错过了什么?我可以简单地忽略命令行openssl工具中的错误吗?