验证证书冗余中间体

时间:2012-05-10 09:05:55

标签: ssl openssl

我的客户希望对其证书进行非常严格的验证。

我建议他们使用“openssl verify”,但似乎这不像“s_client”那么严格。

例如: 假设我有一系列中间体A,B,C(其中A是站点,C指向根,B是中间体),但是一些未连接的中间体渗入证书。让我们称之为X - 证书现在包含A,B,X,C。

s_client将失败,而验证则不会。 我还检查了一些在线服务 - 大多数都没有失败。例如digicert将失败 - 说明链断了。

我试过寻找一个openssl verify标志,我甚至试图运行s_server然后用s_client验证无效。

还有办法对此进行验证吗?

1 个答案:

答案 0 :(得分:0)

使用gnutls包中的'certtool',而不是openssl。

良好的链条:

$ cat A B C | certtool -e
Certificate[0]: <subject for A>
    Issued by: <subject for B>
    Verifying against certificate[1].
    Verification output: Verified.

Certificate[1]: <subject for B>
    Issued by: <subject for C>
    Verifying against certificate[2].
    Verification output: Verified.

Certificate[2]: <subject for C>
    Issued by: <subject for C>
    Verification output: Verified.

Chain verification output: Verified.

坏链:

$ cat A B X C | certtool -e
Certificate[0]: <subject for A>
    Issued by: <subject for B>
    Verifying against certificate[1].
    Verification output: Verified.

Certificate[1]: <subject for B>
    Issued by: <subject for C>
    Verifying against certificate[2].
Error: Issuer's name: <subject for X>
certtool: issuer name does not match the next certificate