我的客户希望对其证书进行非常严格的验证。
我建议他们使用“openssl verify”,但似乎这不像“s_client”那么严格。
例如: 假设我有一系列中间体A,B,C(其中A是站点,C指向根,B是中间体),但是一些未连接的中间体渗入证书。让我们称之为X - 证书现在包含A,B,X,C。
s_client将失败,而验证则不会。 我还检查了一些在线服务 - 大多数都没有失败。例如digicert将失败 - 说明链断了。
我试过寻找一个openssl verify标志,我甚至试图运行s_server然后用s_client验证无效。
还有办法对此进行验证吗?
答案 0 :(得分:0)
使用gnutls包中的'certtool',而不是openssl。
良好的链条:
$ cat A B C | certtool -e
Certificate[0]: <subject for A>
Issued by: <subject for B>
Verifying against certificate[1].
Verification output: Verified.
Certificate[1]: <subject for B>
Issued by: <subject for C>
Verifying against certificate[2].
Verification output: Verified.
Certificate[2]: <subject for C>
Issued by: <subject for C>
Verification output: Verified.
Chain verification output: Verified.
坏链:
$ cat A B X C | certtool -e
Certificate[0]: <subject for A>
Issued by: <subject for B>
Verifying against certificate[1].
Verification output: Verified.
Certificate[1]: <subject for B>
Issued by: <subject for C>
Verifying against certificate[2].
Error: Issuer's name: <subject for X>
certtool: issuer name does not match the next certificate