如何針對多個證書路徑驗證證書吊銷列表
在最近的一個問題中,我概述了驗證萬用字元 SSL 證書以從遠端客戶端連接到 PostgreSQL 的步驟(使用與我的 Web 伺服器相同的萬用字元證書)。雖然我解決了這個問題,但我還沒有弄清楚的一件揮之不去的事情是如何確認我的證書具有正確的 CRL。
我的證書有兩個證書路徑(來自 SSLLabs 測試的螢幕截圖):
但是,CA 僅將這些路徑之一(路徑 #2)的 CRL 包含在其頒發的證書中。我相信我已經確定了第二條路徑的正確 CRL,但我不確定如何根據我的 SSL 證書檢查它以確認它是正確的。我可以直覺地確認 CN 匹配,但必須有一些 OpenSSL 命令來根據相應的證書驗證 CRL。我得出的結論是,我不能為此使用 CRL 指紋,因為它們會隨著 CRL 的每個版本而變化。
問題:
如何通過 OpenSSL(單獨或捆綁)針對其特定的可信路徑驗證每個單獨的 CRL?
這兩個 CRL 能否以與捆綁證書相同的方式捆綁(即,通過簡單地附加 PEM 文件)?
本質上,我正在尋找一種確定的方法來測試“是的,這個 CRL(捆綁包?)包含這個證書的正確 CRL”。使用證書和私鑰,我可以測試模數,但這對於根證書/CRL 是否足夠強大?
這是我正在使用的特定根證書和 CRL(與上圖相同)。
路徑 #1 根
路徑 #1 的根證書(USERTrust RSA 證書頒發機構):
# openssl x509 -fingerprint -noout -in USERTrustRSACertificationAuthority.crt SHA1 Fingerprint=2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
這是我認為上述根證書的正確 CRL:
從 CA 下載 CRL:
# wget http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
將 DER 轉換為 PEM:
# openssl crl -inform DER -in USERTrustRSACertificationAuthority.crl -outform PEM -out USERTrustRSACertificationAuthority.pem
獲取 CRL 的指紋:
# openssl crl -fingerprint -noout -in USERTrustRSACertificationAuthority.pem SHA1 Fingerprint=BA:32:A2:48:F9:72:C9:01:44:17:B0:EE:6D:7F:AB:29:50:6F:A2:D4
列印 CRL 的文本版本:
# openssl crl -in USERTrustRSACertificationAuthority.pem -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha384WithRSAEncryption Issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority Last Update: Aug 18 13:58:25 2019 GMT Next Update: Aug 22 13:58:25 2019 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB X509v3 CRL Number: 3628 Revoked Certificates: Serial Number: D8C857CAE4BE66F913759FDDA3D5DB2B Revocation Date: Mar 16 12:21:54 2018 GMT Serial Number: A6DC2ED38830CC033D23ABCEB72564BF Revocation Date: Mar 16 12:21:54 2018 GMT Serial Number: 3291B976375B708A08E5322427BBC434 Revocation Date: Mar 16 12:21:54 2018 GMT Signature Algorithm: sha384WithRSAEncryption 65:73:d1:c2:b2:21:83:6b:10:9c:0d:83:e7:07:32:7a:8b:25: bf:1c:84:03:7b:f5:8f:c1:3b:4e:3f:b3:0c:c9:61:1d:be:4c: 92:5e:cd:fe:56:07:0b:ff:52:38:f1:1b:0e:ad:40:a7:d8:28: 59:76:c2:e7:24:77:29:71:e5:53:4c:2f:c3:65:ce:b3:49:9c: 45:d3:4a:0a:a5:75:00:1f:65:85:9c:16:e2:d7:38:6f:ea:bf: d3:58:ef:7e:cb:10:7a:c8:9b:bb:e4:69:e6:35:b4:31:88:19: 29:dc:2b:87:95:4f:9e:17:0a:f5:16:b7:70:1f:2a:7c:d0:ed: fd:00:a7:11:0c:68:e0:4f:f7:a0:d8:13:34:43:7f:09:e8:21: 2a:9f:34:cc:ab:10:49:ba:ff:21:b9:97:57:25:c9:28:21:66: 1e:e0:23:45:35:20:c6:8f:a8:93:b5:40:7f:e5:c3:73:ce:2a: d1:52:0c:9f:36:53:f7:e6:9b:03:18:94:56:9e:7b:34:20:ba: 98:b9:fa:85:d9:95:7a:46:8e:d1:f1:b5:56:be:4c:30:be:4e: 2d:28:37:a3:60:5b:91:b8:c5:38:30:94:3a:7f:fa:0b:bb:f0: af:fd:e8:67:78:55:42:11:32:71:57:0e:b3:66:17:83:52:76: d7:00:4a:24:87:a0:82:8e:7f:0e:21:64:a8:48:65:82:74:11: 15:fa:99:6d:c7:5b:cf:5f:09:0b:2b:5a:a4:71:51:af:99:04: 1e:49:14:01:fe:70:0d:a0:ec:2a:4e:c4:f5:3a:d6:bc:80:7d: 6c:9c:53:c4:25:32:c8:8a:6f:b7:5a:61:7f:4c:a1:b2:95:c9: 57:67:8f:45:81:d2:3d:b9:9e:86:91:61:03:2a:51:16:50:3b: d4:21:83:89:98:0f:93:4d:00:82:78:67:62:70:8d:c0:e9:3b: 77:4b:b7:4d:52:1f:f7:cd:04:5e:e4:02:c2:89:7b:64:79:69: da:f4:57:3d:36:0d:9e:b4:fc:fc:71:cb:6d:dc:0d:1e:cc:f9: d9:5a:5e:36:e3:5c:56:8a:a2:70:75:c2:b4:70:8b:9f:b0:86: 04:42:a5:35:5b:47:a4:df:e0:94:3a:5a:32:e6:9c:1f:02:10: d4:14:88:de:d2:46:fc:bb:b6:1c:71:90:88:6f:07:cb:5c:be: 5c:e1:52:42:d6:af:e6:3a:7c:c0:10:6c:94:5b:2f:1c:cd:5a: a0:c1:de:8d:79:4c:54:9d:a6:60:21:b1:39:0d:bc:98:c9:54: ac:54:55:9b:05:44:c4:af:94:f4:2d:b3:cb:8f:31:d4:bf:0d: ea:60:66:92:7b:fa:8c:a6 -----BEGIN X509 CRL----- MIIDcjCCAVoCAQEwDQYJKoZIhvcNAQEMBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYD VQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMV VGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENl cnRpZmljYXRpb24gQXV0aG9yaXR5Fw0xOTA4MTgxMzU4MjVaFw0xOTA4MjIxMzU4 MjVaMGswIgIRANjIV8rkvmb5E3Wf3aPV2ysXDTE4MDMxNjEyMjE1NFowIgIRAKbc LtOIMMwDPSOrzrclZL8XDTE4MDMxNjEyMjE1NFowIQIQMpG5djdbcIoI5TIkJ7vE NBcNMTgwMzE2MTIyMTU0WqAwMC4wHwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd 8rIDZsswCwYDVR0UBAQCAg4sMA0GCSqGSIb3DQEBDAUAA4ICAQBlc9HCsiGDaxCc DYPnBzJ6iyW/HIQDe/WPwTtOP7MMyWEdvkySXs3+VgcL/1I48RsOrUCn2ChZdsLn JHcpceVTTC/DZc6zSZxF00oKpXUAH2WFnBbi1zhv6r/TWO9+yxB6yJu75GnmNbQx iBkp3CuHlU+eFwr1FrdwHyp80O39AKcRDGjgT/eg2BM0Q38J6CEqnzTMqxBJuv8h uZdXJckoIWYe4CNFNSDGj6iTtUB/5cNzzirRUgyfNlP35psDGJRWnns0ILqYufqF 2ZV6Ro7R8bVWvkwwvk4tKDejYFuRuMU4MJQ6f/oLu/Cv/ehneFVCETJxVw6zZheD UnbXAEokh6CCjn8OIWSoSGWCdBEV+pltx1vPXwkLK1qkcVGvmQQeSRQB/nANoOwq TsT1Ota8gH1snFPEJTLIim+3WmF/TKGylclXZ49FgdI9uZ6GkWEDKlEWUDvUIYOJ mA+TTQCCeGdicI3A6Tt3S7dNUh/3zQRe5ALCiXtkeWna9Fc9Ng2etPz8cctt3A0e zPnZWl4241xWiqJwdcK0cIufsIYEQqU1W0ek3+CUOloy5pwfAhDUFIje0kb8u7Yc cZCIbwfLXL5c4VJC1q/mOnzAEGyUWy8czVqgwd6NeUxUnaZgIbE5DbyYyVSsVFWb BUTEr5T0LbPLjzHUvw3qYGaSe/qMpg== -----END X509 CRL-----
路徑 #2 根
路徑 #2 的根證書(AddTrust External CA Root):
# openssl x509 -fingerprint -noout -in AddTrustExternalCARoot.crt SHA1 Fingerprint=02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
從 CA 下載 CRL:
# wget http://crl.comodoca.com/AddTrustExternalCARoot.crl
將 DER 轉換為 PEM:
# openssl crl -inform DER -in AddTrustExternalCARoot.crl -outform PEM -out AddTrustExternalCARoot.pem
獲取 CRL 的指紋:
# openssl crl -fingerprint -noout -in AddTrustExternalCARoot.pem SHA1 Fingerprint=3B:03:0D:23:1C:F5:1F:53:0A:CC:AA:7A:25:BF:EE:D5:3F:80:8A:BB
列印 CRL 的文本版本:
# openssl crl -in AddTrustExternalCARoot.pem -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root Last Update: Aug 18 13:58:25 2019 GMT Next Update: Aug 22 13:58:25 2019 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A X509v3 CRL Number: 5362 Revoked Certificates: Serial Number: 537B76564F297F14DC6943E922AD2C79 Revocation Date: Dec 14 15:58:30 2015 GMT Serial Number: 46EAF096054CC5E3FA65EA6E9F42C664 Revocation Date: Dec 14 15:58:30 2015 GMT Serial Number: 3ACDAB9C759886BCAF74E5DF81A9F4E8 Revocation Date: Dec 14 15:58:30 2015 GMT Serial Number: 79174AA9141736FE15A7CA9F2CFF4588 Revocation Date: Apr 30 20:03:54 2018 GMT Serial Number: 74C18753F7EEB4EA238D8416B5AC7646 Revocation Date: Oct 9 09:11:57 2018 GMT Signature Algorithm: sha1WithRSAEncryption a8:f8:d9:b4:e2:75:46:19:27:0f:88:68:69:fa:06:f9:6a:51: bd:17:6e:8f:35:7c:2d:27:28:84:b1:59:99:c5:59:12:60:bc: 50:f6:32:47:5b:f7:72:b9:42:40:2a:00:e5:63:e0:af:45:04: 99:72:6c:ee:30:e7:dd:53:f6:1c:7b:9e:01:b5:06:ea:86:5f: 8a:66:65:12:37:75:55:8a:3b:91:dd:87:43:be:c4:ce:6c:29: 80:33:38:f4:df:e6:ed:d3:c9:ea:5c:e6:ee:57:22:7e:ca:fe: 58:bd:e9:1d:f6:1a:02:9c:a1:86:77:ed:c1:7b:ea:a1:c8:cf: 0f:5f:5b:ad:92:38:fc:86:45:5f:fc:99:cb:19:25:62:b0:61: 6b:a7:8b:70:71:38:5a:39:e6:7f:de:d1:84:db:1c:cc:f3:e2: 88:c6:4f:89:7a:5b:04:3d:cf:71:51:60:41:6d:38:9a:3f:08: 4b:35:00:63:87:97:70:1f:15:ff:e1:72:20:7b:59:1f:de:41: e4:81:6f:26:12:5e:c6:6f:cb:77:00:99:97:da:c2:68:fe:d5: 07:3f:a5:e0:fa:33:6b:c9:f3:b8:7f:02:05:b4:23:9f:4b:5d: 5c:2f:dd:81:7c:bf:5c:3f:87:f1:dd:03:03:f3:bc:3e:68:86: ae:a9:64:7d -----BEGIN X509 CRL----- MIICnTCCAYUCAQEwDQYJKoZIhvcNAQEFBQAwbzELMAkGA1UEBhMCU0UxFDASBgNV BAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAg TmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdBcNMTkw ODE4MTM1ODI1WhcNMTkwODIyMTM1ODI1WjCBrzAhAhBTe3ZWTyl/FNxpQ+kirSx5 Fw0xNTEyMTQxNTU4MzBaMCECEEbq8JYFTMXj+mXqbp9CxmQXDTE1MTIxNDE1NTgz MFowIQIQOs2rnHWYhryvdOXfgan06BcNMTUxMjE0MTU1ODMwWjAhAhB5F0qpFBc2 /hWnyp8s/0WIFw0xODA0MzAyMDAzNTRaMCECEHTBh1P37rTqI42EFrWsdkYXDTE4 MTAwOTA5MTE1N1qgMDAuMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1Qa MAsGA1UdFAQEAgIU8jANBgkqhkiG9w0BAQUFAAOCAQEAqPjZtOJ1RhknD4hoafoG +WpRvRdujzV8LScohLFZmcVZEmC8UPYyR1v3crlCQCoA5WPgr0UEmXJs7jDn3VP2 HHueAbUG6oZfimZlEjd1VYo7kd2HQ77EzmwpgDM49N/m7dPJ6lzm7lcifsr+WL3p HfYaApyhhnftwXvqocjPD19brZI4/IZFX/yZyxklYrBha6eLcHE4Wjnmf97RhNsc zPPiiMZPiXpbBD3PcVFgQW04mj8ISzUAY4eXcB8V/+FyIHtZH95B5IFvJhJexm/L dwCZl9rCaP7VBz+l4Poza8nzuH8CBbQjn0tdXC/dgXy/XD+H8d0DA/O8PmiGrqlk fQ== -----END X509 CRL-----
來自 CA 的 CRL(路徑 #2 根,較舊的 CRL)
這是簽署萬用字元證書的中間 CA 提供的 CRL:
# openssl crl -fingerprint -noout -in root.crl SHA1 Fingerprint=E1:24:F4:35:3B:D0:B7:5B:AA:D9:AD:C7:33:F2:29:32:20:08:47:14
在這裡,我注意到上面的 CRL 指紋是不同的,但是X509v3 授權密鑰標識符是完全匹配的(這是上面 CRL 的舊版本)。
# openssl crl -in root.crl -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root Last Update: May 28 00:12:38 2019 GMT Next Update: Jun 1 00:12:38 2019 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A X509v3 CRL Number: 5275 Revoked Certificates: Serial Number: 537B76564F297F14DC6943E922AD2C79 Revocation Date: Dec 14 15:58:30 2015 GMT Serial Number: 46EAF096054CC5E3FA65EA6E9F42C664 Revocation Date: Dec 14 15:58:30 2015 GMT Serial Number: 3ACDAB9C759886BCAF74E5DF81A9F4E8 Revocation Date: Dec 14 15:58:30 2015 GMT Serial Number: 79174AA9141736FE15A7CA9F2CFF4588 Revocation Date: Apr 30 20:03:54 2018 GMT Serial Number: 74C18753F7EEB4EA238D8416B5AC7646 Revocation Date: Oct 9 09:11:57 2018 GMT Signature Algorithm: sha1WithRSAEncryption 38:3a:7d:3e:ee:be:48:e7:93:c3:91:0a:c3:47:46:11:87:83: 60:85:19:2f:77:17:bd:e9:0f:02:de:04:60:33:38:5a:38:99: 16:6b:81:51:83:f4:dc:97:83:2f:f9:97:18:5e:6a:24:5e:77: a0:39:dc:e1:09:24:c8:9c:05:e3:68:a2:ca:aa:1f:e7:85:fb: 84:a0:07:96:4d:f0:53:68:6f:85:bd:d6:07:6d:57:34:9a:01: 6e:51:b5:53:69:da:db:e1:c6:0d:c6:d9:d6:85:96:2e:b0:bf: 71:25:49:97:66:8b:61:4a:7d:fd:ce:f3:07:d2:b5:bf:71:c0: 01:6b:79:b2:20:5f:58:41:34:03:1b:88:a5:d7:f7:9b:ab:ff: 49:fa:07:0b:0a:90:d8:f8:93:28:70:7a:f9:48:ed:40:b3:ae: 31:f5:af:51:ed:00:ff:2e:0e:b9:3e:ee:6c:20:21:a0:d8:98: 46:bd:9d:00:bb:aa:3d:30:8c:b2:72:00:af:cd:79:05:2f:40: 5a:ae:2a:27:26:77:c3:40:79:88:4c:7b:2e:2e:df:2e:d5:4f: c5:b2:14:e1:aa:9a:29:4f:b5:e5:01:04:df:b7:89:59:17:1c: 06:7b:a1:a8:9a:84:0c:cf:8c:2f:e9:3a:ec:78:f5:c9:e2:da: 5f:16:1a:38 -----BEGIN X509 CRL----- MIICnTCCAYUCAQEwDQYJKoZIhvcNAQEFBQAwbzELMAkGA1UEBhMCU0UxFDASBgNV BAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAg TmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdBcNMTkw NTI4MDAxMjM4WhcNMTkwNjAxMDAxMjM4WjCBrzAhAhBTe3ZWTyl/FNxpQ+kirSx5 Fw0xNTEyMTQxNTU4MzBaMCECEEbq8JYFTMXj+mXqbp9CxmQXDTE1MTIxNDE1NTgz MFowIQIQOs2rnHWYhryvdOXfgan06BcNMTUxMjE0MTU1ODMwWjAhAhB5F0qpFBc2 /hWnyp8s/0WIFw0xODA0MzAyMDAzNTRaMCECEHTBh1P37rTqI42EFrWsdkYXDTE4 MTAwOTA5MTE1N1qgMDAuMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1Qa MAsGA1UdFAQEAgIUmzANBgkqhkiG9w0BAQUFAAOCAQEAODp9Pu6+SOeTw5EKw0dG EYeDYIUZL3cXvekPAt4EYDM4WjiZFmuBUYP03JeDL/mXGF5qJF53oDnc4QkkyJwF 42iiyqof54X7hKAHlk3wU2hvhb3WB21XNJoBblG1U2na2+HGDcbZ1oWWLrC/cSVJ l2aLYUp9/c7zB9K1v3HAAWt5siBfWEE0AxuIpdf3m6v/SfoHCwqQ2PiTKHB6+Ujt QLOuMfWvUe0A/y4OuT7ubCAhoNiYRr2dALuqPTCMsnIAr815BS9AWq4qJyZ3w0B5 iEx7Li7fLtVPxbIU4aqaKU+15QEE37eJWRccBnuhqJqEDM+ML+k67Hj1yeLaXxYa OA== -----END X509 CRL-----
在查看了verify命令的 OpenSSL 文件後,我發現 CRL PEM 確實可以連接起來,和/或在單獨的文件中指定:
-CRL文件文件
該文件應包含一個或多個 PEM 格式的 CRL。可以多次指定此選項以包含來自多個文件的 CRL。
此外,在查看了crl 命令的 OpenSSL 文件後,我發現有四個選項可用於檢查 CRL 的身份(包括明顯未記錄的
-fingerprint
選項):-雜湊
輸出頒發者名稱的雜湊值。這可用於按頒發者名稱在目錄中查找 CRL。
-hash_old
使用 OpenSSL 1.0.0 版之前使用的舊算法輸出 CRL 頒發者名稱的“雜湊”。
-發行人
輸出發行者名稱。
顯然,確認 CRL 來源的唯一方法是通過發行人名稱(四個選項中的三個)。
除了使用
-fingerprint
為每個 CRL 版本生成唯一散列的-hash
選項外,還可以使用生成發行者名稱散列的選項。還有一個-hash_old
使用 MD5 雜湊的-issuer
選項和一個列印頒發者名稱全文的選項。儘管這似乎不是確定 CRL 身份的有效方法,但它似乎是唯一可用的方法。我希望的是
-modulus
檢查 CRL 的簽名密鑰是否與根證書的簽名密鑰匹配的選項,但不存在這樣的選項:# openssl crl -modulus -noout -in AddTrustExternalCARoot.pem unknown option -modulus
此外,我發現根證書沒有 CRL,但路徑 #1 和路徑 #2 的中間證書都有 CRL。CRL 的下載 URL 可以從中間證書的文本版本中提取:
# openssl x509 -noout -text -in 2_intermediate_sectigo.crt | grep -A 4 'X509v3 CRL Distribution Points' X509v3 CRL Distribution Points: Full Name: URI:http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
第二個 CRL 來自第二個中間證書(僅在路徑 #2 中):
# openssl x509 -noout -text -in 3_intermediate_usertrust.crt | grep -A 4 'X509v3 CRL Distribution Points' X509v3 CRL Distribution Points: Full Name: URI:http://crl.usertrust.com/AddTrustExternalCARoot.crl
但是,路徑 #1 或路徑 #2 的根證書都沒有 CRL 分發點(這在此答案的末尾很重要):
# openssl x509 -noout -text -in USERTrustRSACertificationAuthority.crt | grep -A 4 'X509v3 CRL Distribution Points' # openssl x509 -noout -text -in AddTrustExternalCARoot.crt | grep -A 4 'X509v3 CRL Distribution Points'
這表明對於路徑 #2,我從錯誤的來源下載了 CRL(它應該來自 UserTrust,而不是 Comodo):
# wget http://crl.comodoca.com/AddTrustExternalCARoot.crl # mv AddTrustExternalCARoot.crl AddTrustExternalCARoot_comodo.crl # openssl crl -inform DER -in AddTrustExternalCARoot_comodo.crl -outform PEM -out AddTrustExternalCARoot_comodo.pem # openssl crl -hash -noout -in AddTrustExternalCARoot_comodo.pem 157753a5 # wget http://crl.usertrust.com/AddTrustExternalCARoot.crl # openssl crl -inform DER -in AddTrustExternalCARoot.crl -outform PEM -out AddTrustExternalCARoot.pem # openssl crl -hash -noout -in AddTrustExternalCARoot.pem 157753a5 # sum AddTrustExternalCARoot_comodo.crl 15298 1 # sum AddTrustExternalCARoot.crl 15939 1 # openssl crl -noout -text -in AddTrustExternalCARoot_comodo.pem | grep -A 1 'X509v3 CRL Number' X509v3 CRL Number: 5358 # openssl crl -noout -text -in AddTrustExternalCARoot.pem | grep -A 1 'X509v3 CRL Number' X509v3 CRL Number: 5363
如上所示,儘管來自 UserTrust 和 Comodo 的 CRL 具有相同的頒發者並且兩者都應該可以工作,但 Comodo 提供了一個舊版本。
此外,這似乎表明對於認證路徑#1,應該只需要一個 CRL,但對於認證路徑 #2,可能需要兩個 CRL。
路徑 #1 根
路徑 #1( USERTrust RSA 證書頒發機構)的根證書雜湊:
# openssl x509 -hash -noout -in USERTrustRSACertificationAuthority.crt fc5a8f99
路徑 #1 的根證書的 CRL 雜湊:
# openssl crl -hash -noout -in USERTrustRSACertificationAuthority.pem fc5a8f99 # openssl crl -issuer -noout -in USERTrustRSACertificationAuthority.pem issuer=/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
路徑 #2 根
路徑 #2 的根證書(AddTrust External CA Root):
# openssl x509 -hash -noout -in AddTrustExternalCARoot.crt 157753a5
路徑 #2 的根證書的 CRL 雜湊:
# openssl crl -hash -noout -in AddTrustExternalCARoot.pem 157753a5 # openssl crl -issuer -noout -in AddTrustExternalCARoot.pem issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
路徑 #2 的根證書的舊版本 CRL 的雜湊:
# openssl crl -hash -noout -in root.crl 157753a5 # openssl crl -issuer -noout -in root.crl issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
總之,為多個證書路徑建構 CRL 文件的適當方法是首先檢查X509v3 CRL 分發點的每個單獨證書(見上文),然後對於每個 CRL URL,檢索最新的 DER(二進製文件)並轉換為 PEM (ASCII 文件):
wget http://crl.usertrust.com/AddTrustExternalCARoot.crl openssl crl -inform DER -in AddTrustExternalCARoot.crl -outform PEM -out AddTrustExternalCARoot_CRL.pem wget http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl openssl crl -inform DER -in USERTrustRSACertificationAuthority.crl -outform PEM -out USERTrustRSACertificationAuthority_CRL.pem
然後將所有 PEM 文件連接到一個文件中:
cat USERTrustRSACertificationAuthority_CRL.pem AddTrustExternalCARoot_CRL.pem > root.crl
最後,根據 CA 和 CRL 文件驗證證書:
# openssl verify -CAfile root.crt -CRLfile root.crl server.crt server.crt: OK
但是,如果您在嘗試檢查 CRL 捆綁包時遇到錯誤,請注意存在一個開放的OpenSSL 錯誤(如果根 CA 證書沒有 CRL 分發點,則 CRL 檢查失敗):
# openssl verify -crl_check -CAfile root.crt -CRLfile root.crl server.crt server.crt: OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.[REDACTED].org error 3 at 0 depth lookup:unable to get certificate CRL
作為參考,我使用的是 OpenSSL 1.0.2k(最新的 Amazon Linux 版本),並且在 OpenSSL 1.1.1 上報告了該錯誤:
# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017