openssl 忽略 pkcs12 文件中的中间证书

openssl 忽略 pkcs12 文件中的中间证书

创建新的 S/MIME 证书后,我仍然需要创建大多数邮件客户端都能接受的有效 PKCS #12 文件:

$ openssl verify smime.pfx
CN = [email protected], emailAddress = [email protected]
error 20 at 0 depth lookup: unable to get local issuer certificate
error smime.pfx: verification failed

如果我指定中间证书,则链看起来很好:

openssl verify -show_chain -untrusted Certum_SMIME_RSA_CA.pem smime.pfx
smime.pfx: OK
Chain:
depth=0: CN = [email protected], emailAddress = [email protected] (untrusted)
depth=1: C = PL, O = Asseco Data Systems S.A., CN = Certum SMIME RSA CA (untrusted)
depth=2: C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum Trusted Root CA

但是,创建 pfx 文件时已指定该文件:

$ openssl pkcs12 -export -inkey privatekey.key -in smime.pem \
    -certfile Certum_SMIME_RSA_CA.pem -out smime.pfx

根据 openssl,存在中间证书:

$ openssl pkcs12 -in smime.pfx -nodes | grep -E "subject|issuer"
subject=CN = [email protected], emailAddress = [email protected]
issuer=C = PL, O = Asseco Data Systems S.A., CN = Certum SMIME RSA CA
subject=C = PL, O = Asseco Data Systems S.A., CN = Certum SMIME RSA CA
issuer=C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum Trusted Root CA

那么我到底错过了什么?为什么忽略了 pfx 文件中的中间证书?

答案1

从手册页中:

openssl verify [options skipped] [–] [certificate ...]

[option descriptions skipped]

certificate ...

    One or more target certificates to verify, one per file. If no certificates are given, this 
    command will attempt to read a single certificate from standard input.

注意“每个文件一个”。构建该链所需的证书如果指定了,则会在-untrusted和中查找 cert ;如果指定了,则会在中查找,如果未指定相关选项,则会使用其各自的默认值——但不会在输入文件中查找。-trusted-CAfile/path/store-no

使用 PKCS12-aka-PFX 文件作为输入verify仅在 3.0.0 以上版本(自 2021 年起)受支持,但尝试使用 PEM 格式的“链”文件的等效错误verify早已很常见;请参阅https://stackoverflow.com/questions/65204616/why-does-openssl-verify-fail-with-a-certificate-chain-file-while-it-succeeds-wit以及更多链接。

相关内容