JKJS
我有这个证书链:
rcert.pem(自签名) – > scert.pem – > ccert.pem
所有这三个证书都是由我生成的.没有任何地方可以使用互联网连接.这是完美的离线工作.
现在,下面是一些命令及其输出:
hari@harikrishna:~/hari$openssl verify rcert.pem rcert.pem: C = IN,ST = OM,L = OM,O = HARI,OU = HARI,CN = OM,emailAddress = OM error 18 at 0 depth lookup:self signed certificate OK hari@harikrishna:~/hari$openssl verify -CAfile rcert.pem scert.pem scert.pem: OK hari@harikrishna:~/hari$openssl verify -CAfile rcert.pem rcert.pem rcert.pem: OK hari@harikrishna:~/hari$openssl verify -CAfile rcert.pem -untrusted scert.pem ccert.pem ccert.pem: C = IN,ST = HARI,L = HARI,CN = HARI,emailAddress = HARI error 24 at 1 depth lookup:invalid CA certificate OK
谢谢.
解决方法
JKJS
得到了我自己的问题的答案:
1)通过以下命令创建根CA证书:
openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out rootcert.pem
2)通过以下命令将CA证书安装为可信证书:
sudo mkdir /usr/share/ca-certificates/extra sudo cp rootcert.pem /usr/share/ca-certificates/extra/rootcert.crt sudo dpkg-reconfigure ca-certificates sudo update-ca-certificates
3)通过以下命令创建由根CA签名的中间证书:
openssl req -newkey rsa:1024 -sha1 -keyout skey.pem -out sreq.pem sudo openssl x509 -req -in sreq.pem -sha1 -CA /etc/ssl/certs/rootcert.pem -CAkey rootkey.pem -CAcreateserial -out scert.pem
4)通过以下命令创建由中间CA签名的客户端证书:
openssl req -newkey rsa:1024 -sha1 -keyout ckey.pem -out creq.pem openssl x509 -req -in creq.pem -sha1 -CA scert.pem -CAkey skey.pem -CAcreateserial -out ccert.pem
现在,信任链正常运作:
1)验证根CA.
openssl verify rootcert.pem rootcert.pem: OK
2)中间CA的验证
openssl verify scert.pem scert.pem: OK
3)验证客户证书
openssl verify -CAfile scert.pem ccert.pem ccert.pem: OK
