Ssl
OpenSSL 如何確定證書是否適用於根 CA?
我有一個由 Verisign 根 CA 頒發的 Verisign 中間證書。但是當我要求 OpenSSL 在不提供根 CA 證書的情況下驗證鏈時,OpenSSL 說該鍊是有效的。為什麼?中間證書中的 subject 和 issuer 欄位是不同的。
這是我正在使用的命令:
openssl verify -verbose VSIntermediate.pem這是證書:
Certificate: Data: Version: 3 (0x2) Serial Number: 2c:48:dd:93:0d:f5:59:8e:f9:3c:99:54:7a:60:ed:43 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Validity Not Before: Nov 8 00:00:00 2006 GMT Not After : Nov 7 23:59:59 2016 GMT Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL SGC CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bd:56:88:ba:88:34:64:64:cf:cd:ca:b0:ee:e7: 19:73:c5:72:d9:bb:45:bc:b5:a8:ff:83:be:1c:03: db:ed:89:b7:2e:10:1a:25:bc:55:ca:41:a1:9f:0b: cf:19:5e:70:b9:5e:39:4b:9e:31:1c:5f:87:ae:2a: aa:a8:2b:a2:1b:3b:10:23:5f:13:b1:dd:08:8c:4e: 14:da:83:81:e3:b5:8c:e3:68:ed:24:67:ce:56:b6: ac:9b:73:96:44:db:8a:8c:b3:d6:f0:71:93:8e:db: 71:54:4a:eb:73:59:6a:8f:70:51:2c:03:9f:97:d1: cc:11:7a:bc:62:0d:95:2a:c9:1c:75:57:e9:f5:c7: ea:ba:84:35:cb:c7:85:5a:7e:e4:4d:e1:11:97:7d: 0e:20:34:45:db:f1:a2:09:eb:eb:3d:9e:b8:96:43: 5e:34:4b:08:25:1e:43:1a:a2:d9:b7:8a:01:34:3d: c3:f8:e5:af:4f:8c:ff:cd:65:f0:23:4e:c5:97:b3: 5c:da:90:1c:82:85:0d:06:0d:c1:22:b6:7b:28:a4: 03:c3:4c:53:d1:58:bc:72:bc:08:39:fc:a0:76:a8: a8:e9:4b:6e:88:3d:e3:b3:31:25:8c:73:29:48:0e: 32:79:06:ed:3d:43:f4:f6:e4:e9:fc:7d:be:8e:08: d5:1f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: https://www.verisign.com/cps X509v3 CRL Distribution Points: Full Name: URI:http://EVSecure-crl.verisign.com/pca3-g5.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign Netscape Cert Type: SSL CA, S/MIME CA 1.3.6.1.5.5.7.1.12: 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif X509v3 Subject Alternative Name: DirName:/CN=Class3CA2048-1-48 X509v3 Authority Key Identifier: keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33 Authority Information Access: OCSP - URI:http://EVSecure-ocsp.verisign.com X509v3 Extended Key Usage: Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1, TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 27:74:a6:34:ea:1d:9d:e1:53:d6:1c:9d:0c:a7:5b:4c:a9:67: f2:f0:32:b7:01:0f:fb:42:18:38:de:e4:ee:49:c8:13:c9:0b: ec:04:c3:40:71:18:72:76:43:02:23:5d:ab:7b:c8:48:14:1a: c8:7b:1d:fc:f6:0a:9f:36:a1:d2:09:73:71:66:96:75:51:34: bf:99:30:51:67:9d:54:b7:26:45:ac:73:08:23:86:26:99:71: f4:8e:d7:ea:39:9b:06:09:23:bf:62:dd:a8:c4:b6:7d:a4:89: 07:3e:f3:6d:ae:40:59:50:79:97:37:3d:32:78:7d:b2:63:4b: f9:ea:08:69:0e:13:ed:e8:cf:bb:ac:05:86:ca:22:cf:88:62: 5d:3c:22:49:d8:63:d5:24:a6:bd:ef:5c:e3:cc:20:3b:22:ea: fc:44:c6:a8:e5:1f:e1:86:cd:0c:4d:8f:93:53:d9:7f:ee:a1: 08:a7:b3:30:96:49:70:6e:a3:6c:3d:d0:63:ef:25:66:63:cc: aa:b7:18:17:4e:ea:70:76:f6:ba:42:a6:80:37:09:4e:9f:66: 88:2e:6b:33:66:c8:c0:71:a4:41:eb:5a:e3:fc:14:2e:4b:88: fd:ae:6e:5b:65:e9:27:e4:bf:e4:b0:23:c1:b2:7d:5b:62:25: d7:3e:10:d4 -----BEGIN CERTIFICATE----- MIIGHjCCBQagAwIBAgIQLEjdkw31WY75PJlUemDtQzANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMTYxMTA3MjM1OTU5WjCBvjEL MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMvVmVy aVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0EwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9Voi6iDRkZM/NyrDu5xlzxXLZ u0W8taj/g74cA9vtibcuEBolvFXKQaGfC88ZXnC5XjlLnjEcX4euKqqoK6IbOxAj XxOx3QiMThTag4HjtYzjaO0kZ85Wtqybc5ZE24qMs9bwcZOO23FUSutzWWqPcFEs A5+X0cwRerxiDZUqyRx1V+n1x+q6hDXLx4VafuRN4RGXfQ4gNEXb8aIJ6+s9nriW Q140SwglHkMaotm3igE0PcP45a9PjP/NZfAjTsWXs1zakByChQ0GDcEitnsopAPD TFPRWLxyvAg5/KB2qKjpS26IPeOzMSWMcylIDjJ5Bu09Q/T25On8fb6OCNUfAgMB AAGjggIIMIICBDAdBgNVHQ4EFgQUTkPIHXbvN1N6T/JYb5TzOOLVvd8wEgYDVR0T AQH/BAgwBgEB/wIBADA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczA9BgNVHR8ENjA0MDKgMKAuhixo dHRwOi8vRVZTZWN1cmUtY3JsLnZlcmlzaWduLmNvbS9wY2EzLWc1LmNybDAOBgNV HQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMG0GCCsGAQUFBwEMBGEwX6Fd oFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrU SBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMCkG A1UdEQQiMCCkHjAcMRowGAYDVQQDExFDbGFzczNDQTIwNDgtMS00ODAfBgNVHSME GDAWgBR/02Wnwt3su/AwCfNDOfoCrzMxMzA9BggrBgEFBQcBAQQxMC8wLQYIKwYB BQUHMAGGIWh0dHA6Ly9FVlNlY3VyZS1vY3NwLnZlcmlzaWduLmNvbTA0BgNVHSUE LTArBglghkgBhvhCBAEGCmCGSAGG+EUBCAEGCCsGAQUFBwMBBggrBgEFBQcDAjAN BgkqhkiG9w0BAQUFAAOCAQEAJ3SmNOodneFT1hydDKdbTKln8vAytwEP+0IYON7k 7knIE8kL7ATDQHEYcnZDAiNdq3vISBQayHsd/PYKnzah0glzcWaWdVE0v5kwUWed VLcmRaxzCCOGJplx9I7X6jmbBgkjv2LdqMS2faSJBz7zba5AWVB5lzc9Mnh9smNL +eoIaQ4T7ejPu6wFhsoiz4hiXTwiSdhj1SSmve9c48wgOyLq/ETGqOUf4YbNDE2P k1PZf+6hCKezMJZJcG6jbD3QY+8lZmPMqrcYF07qcHb2ukKmgDcJTp9miC5rM2bI wHGkQeta4/wULkuI/a5uW2XpJ+S/5LAjwbJ9W2Il1z4Q1A== -----END CERTIFICATE-----
使用
openssl verifyopenssl 時將嘗試使用CAFile您指定的路徑,如果不存在,它將載入編譯時選擇的預設驗證路徑。在我的系統上是
/etc/pki/tls/cert.pem.
雖然 Openssl 本身不包含任何根 CA 證書,但大多數包含 openssl 的作業系統發行版都包含此類證書,因此您可能已經在系統上安裝了 Verisign 根證書。例如在 Debian Linux 中,它們位於 ca-certificates 包中。