JKJS
我有这个证书链: rcert.pem(自签名) - > scert.pem - > ccert.pem
所有三个证书都是由我生成的。没有任何地方可以使用互联网连接。这是完美的离线工作。 现在,下面是一些命令及其输出:
hari@harikrishna:~/hari$ openssl verify rcert.pem
rcert.pem: C = IN, ST = OM, L = OM, O = HARI, OU = HARI, CN = OM, emailAddress = OM
error 18 at 0 depth lookup:self signed certificate
OK
hari@harikrishna:~/hari$ openssl verify -CAfile rcert.pem scert.pem
scert.pem: OK
hari@harikrishna:~/hari$ openssl verify -CAfile rcert.pem rcert.pem
rcert.pem: OK
hari@harikrishna:~/hari$ openssl verify -CAfile rcert.pem -untrusted scert.pem ccert.pem
ccert.pem: C = IN, ST = HARI, L = HARI, O = HARI, OU = HARI, CN = HARI, emailAddress = HARI
error 24 at 1 depth lookup:invalid CA certificate
OK
为什么会创建错误24.如何删除它?是可信的还是不受信任的?
谢谢。
答案 0 :(得分:18)
JKJS
回答了我自己的问题:
1)通过以下命令创建根CA证书:
openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out rootcert.pem
2)通过以下命令将CA证书安装为可信证书:
sudo mkdir /usr/share/ca-certificates/extra
sudo cp rootcert.pem /usr/share/ca-certificates/extra/rootcert.crt
sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates
3)通过以下命令创建由根CA签名的中间证书:
openssl req -newkey rsa:1024 -sha1 -keyout skey.pem -out sreq.pem
sudo openssl x509 -req -in sreq.pem -sha1 -CA /etc/ssl/certs/rootcert.pem -CAkey rootkey.pem -CAcreateserial -out scert.pem
4)通过以下命令创建由中间CA签名的客户端证书:
openssl req -newkey rsa:1024 -sha1 -keyout ckey.pem -out creq.pem
openssl x509 -req -in creq.pem -sha1 -CA scert.pem -CAkey skey.pem -CAcreateserial -out ccert.pem
现在,信任链正常运转:
1)验证根CA
openssl verify rootcert.pem
rootcert.pem: OK
2)验证中间CA
openssl verify scert.pem
scert.pem: OK
3)验证客户证书
openssl verify -CAfile scert.pem ccert.pem
ccert.pem: OK