Linux上的openSSL证书验证

前端之家收集整理的这篇文章主要介绍了Linux上的openSSL证书验证前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
JKJS

我有这个证书链:
rcert.pem(自签名) – > scert.pem – > ccert.pem

所有这三个证书都是由我生成的.没有任何地方可以使用互联网连接.这是完美的离线工作.
现在,下面是一些命令及其输出

hari@harikrishna:~/hari$openssl verify rcert.pem
rcert.pem: C = IN,ST = OM,L = OM,O = HARI,OU = HARI,CN = OM,emailAddress = OM
error 18 at 0 depth lookup:self signed certificate
OK
hari@harikrishna:~/hari$openssl verify -CAfile rcert.pem scert.pem
scert.pem: OK
hari@harikrishna:~/hari$openssl verify -CAfile rcert.pem rcert.pem
rcert.pem: OK
hari@harikrishna:~/hari$openssl verify -CAfile rcert.pem -untrusted scert.pem ccert.pem
ccert.pem: C = IN,ST = HARI,L = HARI,CN = HARI,emailAddress = HARI
error 24 at 1 depth lookup:invalid CA certificate
OK

为什么会创建错误24.如何删除它?是可信任还是不受信任?

谢谢.

解决方法

JKJS

得到了我自己的问题的答案:

1)通过以下命令创建根CA证书:

openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem

openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out rootcert.pem

2)通过以下命令将CA证书安装为可信证书:

sudo mkdir /usr/share/ca-certificates/extra

sudo cp rootcert.pem /usr/share/ca-certificates/extra/rootcert.crt

sudo dpkg-reconfigure ca-certificates

sudo update-ca-certificates

3)通过以下命令创建由根CA签名的中间证书:

openssl req -newkey rsa:1024 -sha1 -keyout skey.pem -out sreq.pem

sudo openssl x509 -req -in sreq.pem -sha1 -CA /etc/ssl/certs/rootcert.pem -CAkey rootkey.pem -CAcreateserial -out scert.pem

4)通过以下命令创建由中间CA签名的客户端证书:

openssl req -newkey rsa:1024 -sha1 -keyout ckey.pem -out creq.pem

openssl x509 -req -in creq.pem -sha1 -CA scert.pem -CAkey skey.pem -CAcreateserial -out ccert.pem

现在,信任链正常运作:

1)验证根CA.

openssl verify rootcert.pem 
rootcert.pem: OK

2)中间CA的验证

openssl verify scert.pem 
scert.pem: OK

3)验证客户证书

openssl verify -CAfile scert.pem ccert.pem
ccert.pem: OK

猜你在找的Linux相关文章