使用openssl校验证书链
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了使用openssl校验证书链相关的知识,希望对你有一定的参考价值。
##1、获取网站证书信息
#获取淘宝证书信息 openssl s_client -showcerts -connect www.taobao.com:443
例如:
[[email protected] wss]# openssl s_client -showcerts -connect www.taobao.com:443 CONNECTED(00000003) depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA verify return:1 depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2 verify return:1 depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = *.tmall.com verify return:1 --- Certificate chain 0 s:/C=CN/ST=ZheJiang/L=HangZhou/O=Alibaba (China) Technology Co., Ltd./CN=*.tmall.com i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2 -----BEGIN CERTIFICATE----- #@这是第1张证书,*.tmall.com的证书 #@签发者是GlobalSign Organization Validation CA - SHA256 - G2 -----END CERTIFICATE----- 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA -----BEGIN CERTIFICATE----- #@这是第2张证书,是GlobalSign Organization Validation CA - SHA256 - G2 #@签发者是GlobalSign Root CA -----END CERTIFICATE----- --- Server certificate subject=/C=CN/ST=ZheJiang/L=HangZhou/O=Alibaba (China) Technology Co., Ltd./CN=*.tmall.com issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2 --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 4041 bytes and written 373 bytes
##2、验证证书链
我们以天猫证书的三级结构为例:
+GlobalSign Root CA,这是一张自签证书,内置在浏览器上
++GlobalSign Organization Validation CA - SHA256 - G2,中间证书
+++*.tmall.com,天猫的泛域名证书
分别保存为GlobalSign.CA.cer,Middle.cer 和 TMall.cer
可以用如下方法验证证书链:
[[email protected] wss]# openssl verify GlobalSign.CA.cer GlobalSign.CA.cer: OK #@直接校验CA,发现没问题 [[email protected] wss]# openssl verify -CAfile GlobalSign.CA.cer Middle.cer Middle.cer: OK #@使用CA校验中间证书,也没问题 [[email protected] wss]# openssl verify -CAfile Middle.cer TMall.cer TMall.cer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2 error 2 at 1 depth lookup:unable to get issuer certificate #@使用中间证书校验TMALL证书,失败 [[email protected] wss]# openssl verify -CAfile GlobalSign.CA.cer TMall.cer TMall.cer: C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = *.tmall.com error 20 at 0 depth lookup:unable to get local issuer certificate #@使用CA校验TMALL证书,失败 [[email protected] wss]# cat GlobalSign.CA.cer Middle.cer > bundle.cer [[email protected] wss]# openssl verify -CAfile bundle.cer TMall.cer TMall.cer: OK #@将CA和中间证书合并,校验TMALL证书,成功
以上是关于使用openssl校验证书链的主要内容,如果未能解决你的问题,请参考以下文章