我有一位客户想要对其证书进行非常严格的验证。
我建议他们使用“openssl verify”,但似乎不如“s_client”严格。
例如: 可以说我有一个中间链 A、B、C(其中 A 是站点,C 指向根,B 是中间层),但是一些根本没有连接的中间层渗透到证书中。让我们称之为 X - 证书现在包含 A、B、X、C。
s_client 将失败,而 verify 则不会。 我还检查了一些在线服务 - 大多数都不会失败。例如digicert将失败 - 说明链条已断开。
我试着寻找一个 openssl 验证标志,我什至尝试运行 s_server 然后用 s_client 验证无济于事。
有没有办法对此也执行验证?
最佳答案
使用 gnutls 包中的“certtool”,而不是 openssl。
好链:
$ cat A B C | certtool -e
Certificate[0]: <subject for A>
Issued by: <subject for B>
Verifying against certificate[1].
Verification output: Verified.
Certificate[1]: <subject for B>
Issued by: <subject for C>
Verifying against certificate[2].
Verification output: Verified.
Certificate[2]: <subject for C>
Issued by: <subject for C>
Verification output: Verified.
Chain verification output: Verified.
坏链:
$ cat A B X C | certtool -e
Certificate[0]: <subject for A>
Issued by: <subject for B>
Verifying against certificate[1].
Verification output: Verified.
Certificate[1]: <subject for B>
Issued by: <subject for C>
Verifying against certificate[2].
Error: Issuer's name: <subject for X>
certtool: issuer name does not match the next certificate
关于ssl - 验证证书冗余中间体,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/10530774/