我一直在问自己,如何解释 openssl 关于证书的输出,具体取决于选项(-text 或 - purpose)。有时我不清楚,例如,证书是否应该是 CA。
例子:
openssl x509 -in /path/to/cert1.pem -purpose -noout
Certificate purposes:
SSL client : Yes
SSL client CA : Yes (WARNING code=3)
SSL server : Yes
SSL server CA : Yes (WARNING code=3)
...
但:
openssl x509 -in /path/to/cert1.pem -text -noout | grep CA
这显示没有结果。然而:
openssl x509 -in /path/to/cert2.pem -purpose -noout
Certificate purposes:
SSL client : Yes
SSL client CA : Yes
SSL server : Yes
SSL server CA : Yes
...
和:
openssl x509 -in /path/to/cert2.pem -text -noout | grep CA
CA:TRUE
最佳答案
从您提供的有限输出来看,您的 cert1.pem
是 X509v1
类型.因此,它的-text
输出不包含 X509v3
显示在您的 grep
中的扩展名cert2.pem
的结果.
对这个假设的一些支持始于 cert1.pem
的输出。 , 包括
SSL client CA : Yes (WARNING code=3)
围绕此警告含义的 OpenSSL 文档是有限的,但通过检查其源代码,从
apps/x509.c
开始申请,追溯至the following function :static int check_ca(const X509 *x)
{
/* keyUsage if present should allow cert signing */
if (ku_reject(x, KU_KEY_CERT_SIGN))
return 0;
if (x->ex_flags & EXFLAG_BCONS) {
if (x->ex_flags & EXFLAG_CA)
return 1;
/* If basicConstraints says not a CA then say so */
else
return 0;
} else {
/* we support V1 roots for... uh, I don't really know why. */
if ((x->ex_flags & V1_ROOT) == V1_ROOT)
return 3;
/*
* If key usage present it must have certSign so tolerate it
*/
else if (x->ex_flags & EXFLAG_KUSAGE)
return 4;
/* Older certificates could have Netscape-specific CA types */
else if (x->ex_flags & EXFLAG_NSCERT && x->ex_nscert & NS_ANY_CA)
return 5;
/* can this still be regarded a CA certificate? I doubt it */
return 0;
}
}
您在哪里看到代码值
3
出现。要验证是否是这种情况,只需查看不同证书的文本转储中的第一行,如下所示:
Certificate:
Data:
Version: 1 (0x0)
返回 the X509 tool documentation page ,以下现在是有意义的:
If the certificate is a V1 certificate (and thus has no extensions) and it is self signed it is also assumed to be a CA but a warning is again given: this is to work around the problem of Verisign roots which are V1 self signed certificates.
关于ssl - openssl的不同输出,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60453779/