openssl:无法使用自签名证书验证链中的第 3 个

openssl: Not able to verify 3rd in the chain with self signed certifica

提问人:unalignedmemoryaccess 提问时间:11/16/2023 更新时间:11/16/2023 访问量:17

问:

我正在尝试使用OpenSSL实现证书链,但是我在进行验证时遇到了问题。一些参考资料:root -> intermediate -> user1,user2,...

批处理脚本:

:: Generate root certificate and self sign it
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=root"

:: Intermediate certificate, signed with root CA
openssl genrsa -out intermediate.key 2048
openssl req -addext basicConstraints=CA:TRUE -new -sha256 -key intermediate.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=intermediate" -out intermediate.csr
openssl x509 -req -in intermediate.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out intermediate.crt -days 500 -sha256

:: User 1 certificate, signed by intermediate certificate
openssl genrsa -out user1.key 2048
openssl req -addext basicConstraints=CA:TRUE -new -sha256 -key user1.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=user1" -out user1.csr
openssl x509 -req -in user1.csr -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out user1.crt -days 500 -sha256

:: User 2 certificate, signed by intermediate certificate
openssl genrsa -out user2.key 2048
openssl req -addext basicConstraints=CA:TRUE -new -sha256 -key user2.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=user2" -out user2.csr 
openssl x509 -req -in user2.csr -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out user2.crt -days 500 -sha256

:: Verify user 1 certificate trust chain w/o untrusted mode
openssl verify -verbose -CAfile rootca.crt intermediate.crt user1.crt

:: Verify user 1 certificate trust chain
echo "verify check with untrusted mode"
openssl verify -verbose -CAfile rootca.crt -untrusted intermediate.crt user1.crt

运行 verify 命令: 无不受信任的参数

> openssl verify -verbose -CAfile rootca.crt intermediate.crt user1.crt
C = US, ST = CA, O = "MyOrg, Inc.", CN = intermediate
error 24 at 1 depth lookup: invalid CA certificate
error user1.crt: verification failed

带参数-untrusted

> openssl verify -verbose -CAfile rootca.crt -untrusted intermediate.crt user1.crt
C = US, ST = CA, O = "MyOrg, Inc.", CN = intermediate
error 24 at 1 depth lookup: invalid CA certificate
error user1.crt: verification failed

我需要做什么来验证是否真的是根证书?rootca.crtuser1.crt

生成证书的脚本如下:https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309

OpenSSL的

评论

0赞 dave_thompson_085 11/16/2023
执行并观察它没有 BasicConstraints 扩展。然后在这里搜索数十个现有的 Q 以查找“openssl 创建的证书缺少扩展”(尽管现在偏离主题)以及 serverfault 和 security。SX 查看添加它的工作方法。修复中间文件后,通常不希望将 ca:TRUE 放在“用户”证书中,但可能需要将部分或全部 SAN AKI EKU 放入其中。openssl x509 -in intermediate.crt -text
0赞 unalignedmemoryaccess 11/16/2023
感谢您的提示@dave_thompson_085将尽快尝试

答: 暂无答案

上一个:无法在 macOS Catalina 上安装任何版本的 OpenSSL

下一个:OpenSSL Outform 版本 3 与 1.1