我在使用openssl验证时间戳响应时遇到问题:
当我使用
时openssl ts -verify -digest 'c9369ce7fe345436e4a14e63708f166adcdccf9d' -in '/tmp/1806078973W4qE6s' -CAfile 'certs.pem'
我收到错误消息
错误:2107C080:PKCS7例程:PKCS7_get0_signers:签名者证书 找不到:pk7_smime.c:466:
CAfile的格式为
subject = / C = DE / ST =柏林/ L =柏林/ O = D-Trust GmbH / CN = * .d-trust.net ----- BEGIN CERTIFICATE ----- MIIFgDCCBGigAwIBAgIDFx7uMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNVBAYTAkRF MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJjAkBgNVBAMMHUQtVFJVU1QgU1NMIENs .... Blablabla ...... neRy7dzB6nTUBxoYcom / BHoveYcbO1fimPtNPNv4PWcvS4bCkeZQ62sbTu6NwO0i z7D9bcd8 / 0DSVwoMDkLDn + WkEpk = ----- END CERTIFICATE ----- subject = / C = DE / O = D-Trust GmbH / CN = D-TRUST SSL Class 3 CA 1 2009 ----- BEGIN CERTIFICATE ----- MIIFMjCCBBqgAwIBAgIDCZBjMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkRF MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJzAlBgNVBAMMHkQtVFJVU1QgUm9vdCBD .... Blablabla ...... Wz2KhjFDmAeFg2J89YcpeJJEEJXoweAkgJEEwwEIfJ2yLjYo78RD0Rvij / + zkfj9 + dSvTiZTuqicyo37qNoYHgchuqXnKodhWkW89oo2NKhfeNHHbqvXEJmx0PbI6YyQ 50GnYECZRHNKhgbPEtNy / QetU53aWlTlvu4NIwLW5XVsrxlQ2Zw = -----结束证书-----
我使用
去证书openssl s_client -connect tsp.d-trust.net:443 -showcerts
我的问题是: CAfile是不正确的还是我必须在openssl上配置一些东西?
谢谢!
答案 0 :(得分:0)
您似乎必须单独存储证书并将其添加到命令行这适用于我使用OpenSSL 1.1.0
$ openssl ts -verify -CAfile certs/ca-chain.pem -untrusted certs/tsa.pem \
-digest 9c04cd6372077e9b11f70ca111c9807dc7137e4b -in timestamp.tsr
Using configuration from /opt/openssl/ssl/openssl.cnf
Verification: OK