无法使用openssl验证SSL证书

Question

无法使用openssl验证SSL证书

sslopensslldapssl-certificateubuntu-14.04

5

我想要做的：使用openssl -connect与远程站点建立干净的连接。

该站点似乎是自签名的。

What I'm getting: CONNECTED(00000003)
depth=0 CN = DC01.home.pri
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=21:unable to verify the first certificate
verify return:1
...
...
Verify return code: 21 (unable to verify the first certificate)

我尝试过的方法：

echo -n | openssl s_client -connect DC01.home.pri:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
echo -n | openssl s_client -connect DC01.home.pri:636 -CAfile ldapserver.pem

sudo cp ldapserver.pem /etc/ssl/certs/ldapserver.pem
sudo c_rehash /etc/ssl/certs/
echo -n | openssl s_client -connect dc01.home.pri:636 -CApath /etc/ssl/certs/

我也尝试过

openssl verify -CAfile /etc/ssl/certs/ldapserver.pem ldapserver.pem 
openssl verify -CApath /etc/ssl/certs/ ldapserver.pem

随着结果的出现

ldapserver.pem: CN = DC01.home.pri
error 20 at 0 depth lookup:unable to get local issuer certificate

我已经更改了CN/主机名，以保护自己。但是主机名也被添加到我的hosts文件中，以防有所帮助。

已打码的PEM文件

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            64:c7:48:64:00:00:00:00:00:d0
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=pri, DC=home, CN=home-HOMECA-CA
        Validity
            Not Before: Mar  7 22:41:45 2015 GMT
            Not After : Mar  6 22:41:45 2016 GMT
        Subject: CN=DC01.home.pri
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    <CENSORED>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2: 
                . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            S/MIME Capabilities: 
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
            X509v3 Subject Alternative Name: 
                othername:<unsupported>, DNS:DC01.home.pri
            X509v3 Subject Key Identifier: 
                <CENSORED>
            X509v3 Authority Key Identifier: 
                keyid:<CENSORED>

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:ldap:///CN=home-HOMECA-CA,CN=HOMECA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?certificateRevocationList?base?objectClass=cRLDistributionPoint
                  URI:http://homeca.home.pri/CertEnroll/home-HOMECA-CA.crl

            Authority Information Access: 
                CA Issuers - URI:ldap:///CN=home-CA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?cACertificate?base?objectClass=certificationAuthority

    Signature Algorithm: sha1WithRSAEncryption
         <CENSORED>

- Clown Man

网站似乎是自签名的，还是确实是自签名的？你能发布ldapserver.pem吗？ - frasertweedale

已添加被审查的pem文件。除非您指的是Base64，否则我无法粘贴它，因为它是不同主机名，为了保护相关人员。我已更改主机名和颁发者名称以配合主题。 - Clown Man

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- frasertweedale · Accepted Answer

您发布的证书不是自签名的；颁发者（DC=pri, DC=home, CN=home-HOMECA-CA）与主题（CN=DC01.home.pri）不同。

在验证证书时，OpenSSL无法找到本地颁发者证书（或在TLS握手期间从Web服务器接收的第一个证书链的颁发者），以用于验证签名。

您需要提供openssl verify 颁发者证书（或将其放入信任存储库）：

openssl verify -CApath /etc/ssl/certs/<issuer-cert>.pem