如何验证 X.509 证书?

如何验证 X.509 证书?

我有以下过期的 X.509 证书:

$ openssl x509 -in openvpn.net -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:fa:55:a7:80:b5:b5
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
        Validity
            Not Before: Dec 10 20:42:04 2013 GMT
            Not After : Mar  5 17:46:58 2014 GMT
        Subject: OU=Domain Control Validated, CN=*.openvpn.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d8:1c:cd:03:64:34:52:e3:6a:fd:96:10:4d:76:
                    c6:33:f8:70:fb:6c:0d:93:ac:3c:49:1b:bf:c4:9a:
                    c3:b5:08:87:c8:1c:fc:81:64:91:41:45:81:e0:70:
                    63:69:e0:86:ec:e1:48:84:26:2f:3f:4b:7d:6d:6c:
                    88:bc:44:11:ff:72:b1:32:d9:30:24:e4:78:78:0c:
                    fb:73:5d:43:05:4e:5c:5a:05:f7:85:e0:69:c9:b8:
                    ca:7d:0a:33:b9:12:ee:ff:ed:20:7b:8d:04:89:05:
                    74:80:7a:5c:4a:39:07:70:14:56:31:59:ae:4f:6f:
                    3d:5d:c6:36:00:b6:aa:7e:45:6b:bc:cb:4a:8f:cc:
                    20:69:f6:39:ec:29:e9:6a:14:6e:42:ca:99:d1:d7:
                    08:23:31:5c:5b:b3:48:13:01:fe:bc:44:34:62:c7:
                    81:2e:4e:74:1e:73:42:b3:5f:ee:23:55:9f:62:d0:
                    46:5e:c2:00:14:7b:b5:e5:26:40:12:a6:32:50:22:
                    b3:a6:df:b6:a3:90:d4:39:ae:ea:3e:53:f5:58:89:
                    7a:b7:6a:d8:6f:d3:ae:1b:e0:7c:90:86:04:39:c3:
                    a3:c8:8a:52:5a:d5:83:e7:07:80:5b:b2:e2:7a:5a:
                    24:b2:d8:53:34:ad:2a:e2:d4:3a:57:5c:6e:3c:46:
                    58:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points: 
                URI:http://crl.godaddy.com/gdig2s1-6.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: http://certificates.godaddy.com/repository/

            Authority Information Access: 
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt

            X509v3 Authority Key Identifier: 
                keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

            X509v3 Subject Alternative Name: 
                DNS:*.openvpn.net, DNS:openvpn.net
            X509v3 Subject Key Identifier: 
                DA:4D:97:2B:F8:A2:C5:E9:9D:A2:E4:CB:56:01:0B:9B:74:24:01:01
    Signature Algorithm: sha256WithRSAEncryption
        9b:b7:07:59:02:0c:67:f3:c1:49:45:fe:30:9a:1a:39:19:cb:
        42:33:fc:62:02:29:fc:f5:ef:5d:61:36:4a:e2:c5:f6:52:04:
        57:81:28:18:77:60:c0:99:1a:4a:45:e5:f7:eb:03:36:d2:bf:
        9d:b6:93:38:98:06:b4:81:fb:5c:ff:e6:ef:7c:8d:ff:cd:5f:
        53:b1:10:23:03:38:12:12:a8:99:c8:35:a1:6a:60:ba:4a:f4:
        61:7f:96:cb:81:70:f3:c6:d8:2a:b5:69:b8:d9:56:0a:46:73:
        9b:d0:d7:c1:2f:9a:d8:94:ac:37:0b:57:80:f9:a1:ec:e1:bf:
        43:76:c6:ea:01:c6:97:c8:55:29:a8:b6:b9:19:bd:81:92:9a:
        a9:ec:be:b0:4c:3e:11:f5:8b:8c:8f:af:fa:f5:d4:4d:d7:77:
        c0:1f:aa:cd:f7:01:80:ad:62:d4:db:1d:e3:a0:23:77:2f:4b:
        ea:65:5c:9e:9c:46:bc:be:ce:f3:71:79:cd:19:c3:44:f5:49:
        de:4b:24:a5:8b:48:3e:60:4d:9d:dd:1d:50:35:66:6a:d6:96:
        77:7c:19:9b:66:e1:46:de:4e:c2:ce:c5:96:88:2c:d7:7d:cc:
        94:ac:1f:23:d4:a8:e9:6d:c0:f3:9f:a8:21:a7:fd:dc:25:95:
        6f:eb:e3:a0
$ 

据我了解,该证书的颁发日期为Go Daddy Secure Certificate Authority*.openvpn.net。我认为为了验证该证书确实是由 GoDaddy 颁发的,我应该从以下位置下载 GoDaddy 根证书之一:这里。然而,是哪一个呢?如何使用openssl实用程序验证上述证书确实是由 GoDaddy 颁发的?

答案1

使用openssl verify

例如:

$ openssl verify -CAfile /path/to/issuer.cert /path/to/server.cert

在这种情况下,颁发者应该是 GoDaddy 的中介证书,服务器证书是您要验证的证书。哪个中介是合适的?您的 x.509 输出告诉您:

Authority Information Access: 
    OCSP - URI:http://ocsp.godaddy.com/
    CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt

所以你想要的发行人是http://certificates.godaddy.com/repository/gdig2.crt

在您的 OpenVPN 配置中,您可以将路径设置gdig2.crtca选项,这足以进行验证。为了让您安心,最好检查gdig2.crt一次一直到根的有效性,但就 OpenVPN 而言,您可以告诉它最终信任中介,而不会损失安全性。

子命令的另一种形式verify是使用CApath而不是CAfile

$ openssl verify -CApath /etc/ssl/certs /path/to/server.cert

路径CApath必须是包含所有受信任颁发者(包括中间 CA 和根 CA)的多个证书的目录,然后运行c_rehash /path/to/directory/​​.如果您安装了该软件包,您的发行版可能会为您完成此操作ca-certificates

关于验证失败的通知

openssl0.9.x 和 1.0.x 之间存在不兼容性。如果您认为应该验证但没有验证某个证书,那么您可能正在使用 0.9.x 版本的openssl.查找 1.0.x 的内容并重试。

答案2

查看证书上的“权威信息访问”部分。它会告诉您要下载哪个 CA。然后,您可以验证该证书以查看是谁颁发的,并继续沿着链向上进行。

相关内容