创建新的 S/MIME 证书后,我仍然需要创建大多数邮件客户端都能接受的有效 PKCS #12 文件:
$ openssl verify smime.pfx
CN = [email protected], emailAddress = [email protected]
error 20 at 0 depth lookup: unable to get local issuer certificate
error smime.pfx: verification failed
如果我指定中间证书,则链看起来很好:
openssl verify -show_chain -untrusted Certum_SMIME_RSA_CA.pem smime.pfx
smime.pfx: OK
Chain:
depth=0: CN = [email protected], emailAddress = [email protected] (untrusted)
depth=1: C = PL, O = Asseco Data Systems S.A., CN = Certum SMIME RSA CA (untrusted)
depth=2: C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum Trusted Root CA
但是,创建 pfx 文件时已指定该文件:
$ openssl pkcs12 -export -inkey privatekey.key -in smime.pem \
-certfile Certum_SMIME_RSA_CA.pem -out smime.pfx
根据 openssl,存在中间证书:
$ openssl pkcs12 -in smime.pfx -nodes | grep -E "subject|issuer"
subject=CN = [email protected], emailAddress = [email protected]
issuer=C = PL, O = Asseco Data Systems S.A., CN = Certum SMIME RSA CA
subject=C = PL, O = Asseco Data Systems S.A., CN = Certum SMIME RSA CA
issuer=C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum Trusted Root CA
那么我到底错过了什么?为什么忽略了 pfx 文件中的中间证书?
答案1
从手册页中:
openssl verify [options skipped] [–] [certificate ...]
[option descriptions skipped]
certificate ...
One or more target certificates to verify, one per file. If no certificates are given, this
command will attempt to read a single certificate from standard input.
注意“每个文件一个”。构建该链所需的证书一如果指定了,则会在-untrusted和中查找 cert ;如果指定了,则会在中查找,如果未指定相关选项,则会使用其各自的默认值——但不会在输入文件中查找。-trusted-CAfile/path/store-no
使用 PKCS12-aka-PFX 文件作为输入verify仅在 3.0.0 以上版本(自 2021 年起)受支持,但尝试使用 PEM 格式的“链”文件的等效错误verify早已很常见;请参阅https://stackoverflow.com/questions/65204616/why-does-openssl-verify-fail-with-a-certificate-chain-file-while-it-succeeds-wit以及更多链接。