手动构建证书时,您通常会执行如下操作,将中间证书附加到您自己的证书(有时是根 CA):
# Concatenate intermediate certificate and root certificate
cat ${CERTNAME}.single.pem DigiCertSHA2ExtendedValidationServerCA.pem DigiCertHighAssuranceEVRootCA.pem > ${CERTNAME}.pem
我最近将一个中级证书附加到由其他CA,当然,Chrome 也警告我它无法验证证书。我想知道我如何才能提前知道这一点,例如使用openssl或keytool确保我只将有意义的证书连接到链中。
当对中间 Buypass 证书进行“人类可读的转储”时,我得到了以下信息:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1b:78:1c:6d:5e:34:ce:1f:77
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 Root CA
Validity
Not Before: Mar 25 12:17:10 2019 GMT
Not After : Oct 26 09:16:17 2030 GMT
Subject: C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 CA 2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9c:ab:67:c6:96:4b:0d:0f:91:d2:ec:ca:cc:33:
2b:f3:72:fc:0e:7f:b9:4e:84:a9:0f:7d:73:aa:26:
...
(使用openssl x509 -in my-cert.pem -noout -text)
这个中间证书中的字段Subject与我自己的证书中的字段相同Issuer,所以我想我可以提取它并对其进行 grep,但尽管这在 99% 的情况下可能就足够了,但它并没有给我留下正确的印象:)是否有某种签名可以用来验证两者之间的“血统”?