最新消息:

使用openssl命令校验证书链

IT技术 ipcpu 36浏览 0评论

1、获取网站证书信息

#获取淘宝证书信息
openssl s_client -showcerts -connect www.taobao.com:443

例如:

[root@Ali wss]# openssl s_client -showcerts -connect www.taobao.com:443
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = *.tmall.com
verify return:1
---
Certificate chain
0 s:/C=CN/ST=ZheJiang/L=HangZhou/O=Alibaba (China) Technology Co., Ltd./CN=*.tmall.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
#@这是第1张证书,*.tmall.com的证书
#@签发者是GlobalSign Organization Validation CA - SHA256 - G2
-----END CERTIFICATE-----
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
#@这是第2张证书,是GlobalSign Organization Validation CA - SHA256 - G2
#@签发者是GlobalSign Root CA
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/ST=ZheJiang/L=HangZhou/O=Alibaba (China) Technology Co., Ltd./CN=*.tmall.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4041 bytes and written 373 bytes

2、验证证书链

我们以天猫证书的三级结构为例:

+GlobalSign Root CA,这是一张自签证书,内置在浏览器上
++GlobalSign Organization Validation CA - SHA256 - G2,中间证书
+++*.tmall.com,天猫的泛域名证书

分别保存为GlobalSign.CA.cer,Middle.cer 和 TMall.cer
可以用如下方法验证证书链:

[root@Ali wss]# openssl verify GlobalSign.CA.cer 
GlobalSign.CA.cer: OK
#@直接校验CA,发现没问题
[root@Ali wss]# openssl verify -CAfile GlobalSign.CA.cer Middle.cer 
Middle.cer: OK
#@使用CA校验中间证书,也没问题
[root@Ali wss]# openssl verify -CAfile Middle.cer TMall.cer 
TMall.cer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
error 2 at 1 depth lookup:unable to get issuer certificate
#@使用中间证书校验TMALL证书,失败
[root@Ali wss]# openssl verify -CAfile GlobalSign.CA.cer TMall.cer 
TMall.cer: C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = *.tmall.com
error 20 at 0 depth lookup:unable to get local issuer certificate
#@使用CA校验TMALL证书,失败
[root@Ali wss]# cat GlobalSign.CA.cer Middle.cer > bundle.cer
[root@Ali wss]# openssl verify -CAfile bundle.cer TMall.cer 
TMall.cer: OK
#@将CA和中间证书合并,校验TMALL证书,成功

转载请注明:IPCPU-网络之路 » 使用openssl命令校验证书链

发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址