我试图了解如何检查 SSL 证书,并在证书链如下时考虑任何相关的已发布 CRL:
- 根 CA(没有 CRL 分发点)
- 中级 CA(公布由根 CA 签名的 CRL 分发点)
- 网站证书(公布由中级 CA 签名的 CRL DP)
- 中级 CA(公布由根 CA 签名的 CRL 分发点)
因此,需要检查两个 CRL 列表。
碰巧的是,BBC 的网站就是按照上面的配置来配置的,所以我们就以此为例吧。我使用的文件在本问题的末尾。
当我尝试在不检查 CRL 的情况下验证证书时,一切正常:
$ openssl verify -CAfile intermediate_fullchain.pem bbc.pem
bbc.pem: OK
当我尝试从证书中给出的 CRL URL 检查 CRL 时,出现错误:
$ openssl verify -crl_download -crl_check_all -CAfile intermediate_fullchain.pem bbc.pem
Error loading CRL from http://crl.globalsign.com/gsrsaovsslca2018.crl
C = GB, ST = London, L = London, O = British Broadcasting Corporation, CN = www.bbc.com
error 3 at 0 depth lookup: unable to get certificate CRL
error bbc.pem: verification failed
这对我来说很有意义,因为 crl 文件是 DER 格式,而 openssl 需要 PEM 格式,所以让我们下载 CRL 并将其转换为 PEM。可以使用以下方法找到 CRL URL:
$ openssl x509 -in bbc.pem -text -noout
$ openssl x509 -in intermediate_fullchain.pem -text -noout
然后我做了:
$ wget -O intermediate_crl.der http://crl.globalsign.com/gsrsaovsslca2018.crl
$ openssl crl -inform DER -in intermediate_crl.der -outform PEM -out intermediate_crl.pem
$ wget -O root_crl.der http://crl.globalsign.com/root-r3.crl
$ openssl crl -inform DER -in root_crl.der -outform PEM -out root_crl.pem
现在,我认为我已经拥有验证证书所需的一切:
$ openssl verify -crl_check_all -CRLfile intermediate_crl.pem -CRLfile root_crl.pem -CAfile intermediate_fullchain.pem bbc.pem
OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
error 3 at 2 depth lookup: unable to get certificate CRL
error bbc.pem: verification failed
但是,不行!验证仍然失败。我的问题:
- 上述命令中的问题到底是什么?这是否意味着 OpenSSL 期望根 CA 具有 CRL?
- 根据 CA 链中通告的两个 CRL 检查证书的正确方法是什么?
文件
bbc.pem:网络服务器证书:
-----BEGIN CERTIFICATE-----
MIIGQTCCBSmgAwIBAgIMcaxXcd68D+KtpOdTMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMDA3MjIwNjE2MTJaFw0y
MTA5MDUwOTM2MDRaMHAxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzAN
BgNVBAcTBkxvbmRvbjEpMCcGA1UEChMgQnJpdGlzaCBCcm9hZGNhc3RpbmcgQ29y
cG9yYXRpb24xFDASBgNVBAMTC3d3dy5iYmMuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEArtLH/eDBkXjRKaXAqNlitSr2AX7dcSxnbfVoUf54aw+B
e216fMXbZIDA6GUL4fcX3vOvl3PKZ4N1dy0dKsFUrnDpbhx8pY6kGk3lSbCnkGxl
BF8upikv8zaoYoCIvDa23u+ySrp36X8AObjYUKTWoMol7LZWVG7CpnI7JT0cqhUM
gxv2kBGhVjMkE+m0CUBj0/iLkgLb+3aUIs3d9Q1OwIvRJ/UFepEcYtejzx5M5RSy
llF4O9C8Cmmhpv04uUH8uAT1itIsvgZeYa00Cdy7cP1Hi7K7tsgZKn6uilN7B49N
NmBDusKuVHrP8v0F2lcTkDOmJ+Zw2c0gJ67wALa9iwIDAQABo4IC+TCCAvUwDgYD
VR0PAQH/BAQDAgWgMIGOBggrBgEFBQcBAQSBgTB/MEQGCCsGAQUFBzAChjhodHRw
Oi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc3JzYW92c3NsY2EyMDE4
LmNydDA3BggrBgEFBQcwAYYraHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3Ny
c2FvdnNzbGNhMjAxODBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsGAQUF
BwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZn
gQwBAgIwCQYDVR0TBAIwADA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3JsLmds
b2JhbHNpZ24uY29tL2dzcnNhb3Zzc2xjYTIwMTguY3JsMEgGA1UdEQRBMD+CC3d3
dy5iYmMuY29tgg1maWcuYmJjLmNvLnVrggliYmMuY28udWuCDXd3dy5iYmMuY28u
dWuCB2JiYy5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1Ud
IwQYMBaAFPjvf/LNeGeo3m+PJI2I8YcDArPrMB0GA1UdDgQWBBSvGSL6A6GbUeKH
HwdxKEWAudpPEDCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AG9Tdqwx8DEZ2JkA
pFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABc3UqVeQAAAQDAEYwRAIgF7brqFHI/uEo
a+COjDTXQC2V3XozhL8D4mI/IntAF+wCIGf6iKNfKHXWnD0HLYOQCWqkJuoF1yp5
r90GJ8lbjev3AHYAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAFz
dSpV8gAABAMARzBFAiEAwkwvvC397cnYRM8FzZ7XoG1L/c/266q+NO+lbiqYStoC
IE6s0LO8vXbbRF+J7DUOoBILKnsIQeTJM058Gf00Q1fAMA0GCSqGSIb3DQEBCwUA
A4IBAQBKUGAEnhZYx0Tb3k1OUXZ2v+/xdVq90bWTJIV6lk7586Cdd88HOR2MzVtX
eKu3fgfGiNXcu6p2DQXPu64pB3np0s5BrRGzMFdH8XyjHocNOa7IsBJCQWj7Vrro
TD3Y01Lafq2LkHl5VFTHGitMK2Ecsxw/CLiBp/pEBcWeE1mp7KRTraT7UptqdLJC
1CVoLhADvK8Ww8LiOE2ka8UZrMY6qGbjCrgBFnnAypa7gbv46iJFJ8uqPnR7+4dq
amxUCPW1nI7MOzZBjHZ9D3KIp+msmtgaJu7/KSEq2Eimp0PBzolbxiIBvmTJ0G9N
EeXysI6nG1L/j5+RWaQIS+r5xRsj
-----END CERTIFICATE-----
intermediate_fullchain.pem:中级 CA 证书,带有指向根 CA 的证书链:
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgINAe5fIh38YjvUMzqFVzANBgkqhkiG9w0BAQsFADBMMSAw
HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFs
U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xODExMjEwMDAwMDBaFw0yODEx
MjEwMDAwMDBaMFAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52
LXNhMSYwJAYDVQQDEx1HbG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdaydUMGCEAI9WXD+uu3Vxoa2uP
UGATeoHLl+6OimGUSyZ59gSnKvuk2la77qCk8HuKf1UfR5NhDW5xUTolJAgvjOH3
idaSz6+zpz8w7bXfIa7+9UQX/dhj2S/TgVprX9NHsKzyqzskeU8fxy7quRU6fBhM
abO1IFkJXinDY+YuRluqlJBJDrnw9UqhCS98NE3QvADFBlV5Bs6i0BDxSEPouVq1
lVW9MdIbPYa+oewNEtssmSStR8JvA+Z6cLVwzM0nLKWMjsIYPJLJLnNvBhBWk0Cq
o8VS++XFBdZpaFwGue5RieGKDkFNm5KQConpFmvv73W+eka440eKHRwup08CAwEA
AaOCASkwggElMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdDgQWBBT473/yzXhnqN5vjySNiPGHAwKz6zAfBgNVHSMEGDAWgBSP8Et/qC5F
JK5NUPpjmove4t0bvDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6
Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4Yl
aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBHBgNVHSAEQDA+
MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAJmQyC1fQorUC2bbmANz
EdSIhlIoU4r7rd/9c446ZwTbw1MUcBQJfMPg+NccmBqixD7b6QDjynCy8SIwIVbb
0615XoFYC20UgDX1b10d65pHBf9ZjQCxQNqQmJYaumxtf4z1s4DfjGRzNpZ5eWl0
6r/4ngGPoJVpjemEuunl1Ig423g7mNA2eymw0lIYkN5SQwCuaifIFJ6GlazhgDEw
fpolu4usBCOmmQDo8dIm7A9+O4orkjgTHY+GzYZSR+Y0fFukAj6KYXwidlNalFMz
hriSqHKvoflShx8xpfywgVcvzfTO3PYkz6fiNJBonf6q8amaEsybwMbDqKWwIX7e
SPY=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgINAe5fFp3/lzUrZGXWajANBgkqhkiG9w0BAQsFADBXMQsw
CQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UECxMH
Um9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTE4MDkxOTAw
MDAwMFoXDTI4MDEyODEyMDAwMFowTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290
IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNp
Z24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4Ihb1wIO2
hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9
DCuul9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnLJlkNc96wyOkm
DoMVxu9bi9IEYMpJpij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDh
BjPogiuuU6Y6FnOM3UEOIDrAtKeh6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTv
riBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti+w1s4FRpFqkD2m7pg5NxdsZp
hYIXAgMBAAGjggEiMIIBHjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQUj/BLf6guRSSuTVD6Y5qL3uLdG7wwHwYDVR0jBBgwFoAUYHtm
GkUNl8qJUC99BM00qP/8/UswPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFo
dHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEwMwYDVR0fBCwwKjAooCag
JIYiaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LmNybDBHBgNVHSAEQDA+
MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBACNw6c/ivvVZrpRCb8RD
M6rNPzq5ZBfyYgZLSPFAiAYXof6r0V88xjPy847dHx0+zBpgmYILrMf8fpqHKqV9
D6ZX7qw7aoXW3r1AY/itpsiIsBL89kHfDwmXHjjqU5++BfQ+6tOfUBJ2vgmLwgtI
fR4uUfaNU9OrH0Abio7tfftPeVZwXwzTjhuzp3ANNyuXlava4BJrHEDOxcd+7cJi
WOx37XMiwor1hkOIreoTbv3Y/kIvuX1erRjvlJDKPSerJpSZdcfL03v3ykzTr1Eh
kluEfSufFT90y1HonoMOFm8b50bOI7355KKL0jlrqnkckSziYSQtjipIcJDEHsXo
4HA=
-----END CERTIFICATE-----
答案1
这intermediate_fullchain.pem文件不包含自签名根。我不得不下载正确的来自 GlobalSign,尽管您的机器可能已经安装了它,在这种情况下,您只需从上面的链文件中删除错误的中间件。
您可以使用以下方式查看中间体:
openssl crl2pkcs7 -nocrl -certfile intermediate_chain.pem | openssl pkcs7 -print_certs -noout
这使:
subject=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
issuer=/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
subject=/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
issuer=/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
您需要用根 CA 证书替换链中的第二个证书,或者如果您的系统已安装根 CA,则删除它。正是这个证书导致openssl verify无法找到 CRL,因此给您错误。
您可以使用主题和授权密钥标识符扩展来确认链。证书的授权密钥标识符 (AKI) 应该是其签名者(CA)的主题密钥标识符 (SKI)。因此,顶级 BBC 证书的 AKI 是中间 CAF8:EF:7F:F2:CD:78:67:A8:DE:6F:8F:24:8D:88:F1:87:03:02:B3:EB的 SKI。C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018该 CA 证书的 AKI 是上面第一段中链接的根 CA8F:F0:4B:7F:A8:2E:45:24:AE:4D:50:FA:63:9A:8B:DE:E2:DD:1B:BC的 SKI 。OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
但是,更令人困惑的是,您文件中的第二个中间证书也有一个 SKI 和主题,它与上面链接的根证书相同,但不是自签名的。该证书的 AKI 是另一个根 CA 证书的 AKI,您可能在信任锚存储中拥有该证书(我的旧测试系统没有它,因此它对我来说失败了)。如果不下载链接的根 CA 证书,您的路径将有 4 个证书(1 个终端实体、2 个中间证书和一个根证书),因此需要三个 CRL - 根证书和每个中间证书颁发的一个。
使用正确的链接根,我得到:
openssl verify -crl_check_all -CRLfile all_crl.pem -CAfile intermediate_fullchain.pem bbc.pem
bbc.pem: OK
如果您找到第三个 CRL,那么您应该得到相同的结果。