我有以下过期的 X.509 证书:
$ openssl x509 -in openvpn.net -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:fa:55:a7:80:b5:b5
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
Validity
Not Before: Dec 10 20:42:04 2013 GMT
Not After : Mar 5 17:46:58 2014 GMT
Subject: OU=Domain Control Validated, CN=*.openvpn.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d8:1c:cd:03:64:34:52:e3:6a:fd:96:10:4d:76:
c6:33:f8:70:fb:6c:0d:93:ac:3c:49:1b:bf:c4:9a:
c3:b5:08:87:c8:1c:fc:81:64:91:41:45:81:e0:70:
63:69:e0:86:ec:e1:48:84:26:2f:3f:4b:7d:6d:6c:
88:bc:44:11:ff:72:b1:32:d9:30:24:e4:78:78:0c:
fb:73:5d:43:05:4e:5c:5a:05:f7:85:e0:69:c9:b8:
ca:7d:0a:33:b9:12:ee:ff:ed:20:7b:8d:04:89:05:
74:80:7a:5c:4a:39:07:70:14:56:31:59:ae:4f:6f:
3d:5d:c6:36:00:b6:aa:7e:45:6b:bc:cb:4a:8f:cc:
20:69:f6:39:ec:29:e9:6a:14:6e:42:ca:99:d1:d7:
08:23:31:5c:5b:b3:48:13:01:fe:bc:44:34:62:c7:
81:2e:4e:74:1e:73:42:b3:5f:ee:23:55:9f:62:d0:
46:5e:c2:00:14:7b:b5:e5:26:40:12:a6:32:50:22:
b3:a6:df:b6:a3:90:d4:39:ae:ea:3e:53:f5:58:89:
7a:b7:6a:d8:6f:d3:ae:1b:e0:7c:90:86:04:39:c3:
a3:c8:8a:52:5a:d5:83:e7:07:80:5b:b2:e2:7a:5a:
24:b2:d8:53:34:ad:2a:e2:d4:3a:57:5c:6e:3c:46:
58:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://crl.godaddy.com/gdig2s1-6.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository/
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
X509v3 Authority Key Identifier:
keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
X509v3 Subject Alternative Name:
DNS:*.openvpn.net, DNS:openvpn.net
X509v3 Subject Key Identifier:
DA:4D:97:2B:F8:A2:C5:E9:9D:A2:E4:CB:56:01:0B:9B:74:24:01:01
Signature Algorithm: sha256WithRSAEncryption
9b:b7:07:59:02:0c:67:f3:c1:49:45:fe:30:9a:1a:39:19:cb:
42:33:fc:62:02:29:fc:f5:ef:5d:61:36:4a:e2:c5:f6:52:04:
57:81:28:18:77:60:c0:99:1a:4a:45:e5:f7:eb:03:36:d2:bf:
9d:b6:93:38:98:06:b4:81:fb:5c:ff:e6:ef:7c:8d:ff:cd:5f:
53:b1:10:23:03:38:12:12:a8:99:c8:35:a1:6a:60:ba:4a:f4:
61:7f:96:cb:81:70:f3:c6:d8:2a:b5:69:b8:d9:56:0a:46:73:
9b:d0:d7:c1:2f:9a:d8:94:ac:37:0b:57:80:f9:a1:ec:e1:bf:
43:76:c6:ea:01:c6:97:c8:55:29:a8:b6:b9:19:bd:81:92:9a:
a9:ec:be:b0:4c:3e:11:f5:8b:8c:8f:af:fa:f5:d4:4d:d7:77:
c0:1f:aa:cd:f7:01:80:ad:62:d4:db:1d:e3:a0:23:77:2f:4b:
ea:65:5c:9e:9c:46:bc:be:ce:f3:71:79:cd:19:c3:44:f5:49:
de:4b:24:a5:8b:48:3e:60:4d:9d:dd:1d:50:35:66:6a:d6:96:
77:7c:19:9b:66:e1:46:de:4e:c2:ce:c5:96:88:2c:d7:7d:cc:
94:ac:1f:23:d4:a8:e9:6d:c0:f3:9f:a8:21:a7:fd:dc:25:95:
6f:eb:e3:a0
$
据我了解,该证书的颁发日期为Go Daddy Secure Certificate Authority至*.openvpn.net。我认为为了验证该证书确实是由 GoDaddy 颁发的,我应该从以下位置下载 GoDaddy 根证书之一:这里。然而,是哪一个呢?如何使用openssl实用程序验证上述证书确实是由 GoDaddy 颁发的?
答案1
使用openssl verify。
例如:
$ openssl verify -CAfile /path/to/issuer.cert /path/to/server.cert
在这种情况下,颁发者应该是 GoDaddy 的中介证书,服务器证书是您要验证的证书。哪个中介是合适的?您的 x.509 输出告诉您:
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
所以你想要的发行人是http://certificates.godaddy.com/repository/gdig2.crt。
在您的 OpenVPN 配置中,您可以将路径设置gdig2.crt为ca选项,这足以进行验证。为了让您安心,最好检查gdig2.crt一次一直到根的有效性,但就 OpenVPN 而言,您可以告诉它最终信任中介,而不会损失安全性。
子命令的另一种形式verify是使用CApath而不是CAfile:
$ openssl verify -CApath /etc/ssl/certs /path/to/server.cert
路径CApath必须是包含所有受信任颁发者(包括中间 CA 和根 CA)的多个证书的目录,然后运行c_rehash /path/to/directory/.如果您安装了该软件包,您的发行版可能会为您完成此操作ca-certificates。
关于验证失败的通知
openssl0.9.x 和 1.0.x 之间存在不兼容性。如果您认为应该验证但没有验证某个证书,那么您可能正在使用 0.9.x 版本的openssl.查找 1.0.x 的内容并重试。
答案2
查看证书上的“权威信息访问”部分。它会告诉您要下载哪个 CA。然后,您可以验证该证书以查看是谁颁发的,并继续沿着链向上进行。