如何手动验证 CA 签名的 SSL 证书

Question 1

我倾向于快速通过curl -Iv https://www.example.com。curl 将转储出相关的 SSL 位（并将使用它手头上的 CA 列表）。

如果您需要手动执行更多操作，则可以openssl verify使用正确的选项运行，特别是 -CApath 选项：

$ openssl verify --help
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...

我猜你的问题是服务器没有发布中间证书包。看看https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657（或者更具体地说，来自 Verisign 的有关如何安装证书的电子邮件说明）。

Answer

我倾向于快速通过curl -Iv https://www.example.com。curl 将转储出相关的 SSL 位（并将使用它手头上的 CA 列表）。

如果您需要手动执行更多操作，则可以openssl verify使用正确的选项运行，特别是 -CApath 选项：

$ openssl verify --help
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...

我猜你的问题是服务器没有发布中间证书包。看看https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657（或者更具体地说，来自 Verisign 的有关如何安装证书的电子邮件说明）。

Question 2

这是因为您在命令行上没有使用或-CApath。这些参数告诉 openssl 在目录或特定文件中查找受信任的 CA 文件的位置。-CAfile

用它：

openssl s_client -CAfile /etc/ssl/ca-bundle.pem -connect www.bofa.com:443
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 2927442, C = US, postalCode = 60603, ST = Illinois, L = Chicago, street = 135 S La Salle St, O = Bank of America Corporation, OU = Network Infrastructure, CN = www.bankofamerica.com
verify return:1

没有它：

openssl s_client -connect www.bofa.com:443CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0

产生重大影响。

Answer

这是因为您在命令行上没有使用或-CApath。这些参数告诉 openssl 在目录或特定文件中查找受信任的 CA 文件的位置。-CAfile

用它：

openssl s_client -CAfile /etc/ssl/ca-bundle.pem -connect www.bofa.com:443
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 2927442, C = US, postalCode = 60603, ST = Illinois, L = Chicago, street = 135 S La Salle St, O = Bank of America Corporation, OU = Network Infrastructure, CN = www.bankofamerica.com
verify return:1

没有它：

openssl s_client -connect www.bofa.com:443CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0

产生重大影响。

如何手动验证 CA 签名的 SSL 证书

答案1

答案2

相关内容