每当我尝试使用OpenSSL使用以下命令连接到Google(或任何其他网站)时:
s_client -connect google.com:443 -showcerts
我收到以下错误:
.....
验证返回代码:20(无法获得本地颁发者证书)
我确实安装了正确的CA.我还尝试导出CA并将其与-CAfile一起使用, 但我仍然得到同样的错误。
我使用certmgr.msc将CA导出为PKCS#12。 然后我使用:
将它们转换为.pem文件OpenSSL> pkcs12 -in D:/Certs/RootCertsNewu.pfx -clcerts -nokeys -out D:/Certs/Roo
tCertsNew.pem
使用它我尝试连接:
OpenSSL> s_client -connect google.com:443 -CAfile D:\Certs\RootCertsNew.pem
但我得到了和以前一样的回应。 我还读到,这可能与中级CA有关,所以我用CA和中间CA创建了一个.pem文件。那也行不通。有人能帮助我吗?
此外,验证进展似乎从GeoTrust开始,而不是像Equifax那样。
OpenSSL> s_client -connect google.com:443 -showcerts -CAfile D:\Certs\google-ca.
pem
Loading 'screen' into random state - done
CONNECTED(0000017C)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
答案 0 :(得分:3)
转到Google Internet Authority并下载其CA文件。
接下来将其从DER转换为PEM:
$ openssl x509 -in GIAG2.crt -inform DER -out google-ca.pem -outform PEM
最后,执行以下操作:
$ openssl s_client -connect google.com:443 -showcerts -CAfile google-ca.pem
以下是类似的运行。
$ openssl s_client -connect google.com:443 -showcerts -CAfile google-ca.pem
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIHMzCCBhugAwIBAgIIRu5X4fKYZFAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTMxMjExMTI0OTE0WhcNMTQwNDEwMDAwMDAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwb9KlQfh
VnIuRWh6jz2xZSi1InIxdWluaz1RU5SmuZ+Lz+m6lGvv/P31qqNmbKvXe9eDep3R
tOxeYpRiPXmY2U1jFrQzxL0WxxrNgAxEzRvSOS5BsOtyWn75ZGSr8pDVCNGJQxq2
GTjzhAqkesIet8oW3FVIx4gfbQ2BviOrbmH5+JWC64/JGlLcSuRDkkKhNx095Yzp
tnMo1WLb9IuurvN3NgAh7meXbvwV8mPxGRBZWcU5EMQ2IRq6DtQQPGjUPP6Weg4x
dssCIfA8ffm5RznjR2N9gq6SRPNU1Wtt5+ZK1A/IVHs0PXsVnCP2WyWIFdduH7WX
jatH9fOukYWugQIDAQABo4IEADCCA/wwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIIC1gYDVR0RBIICzTCCAsmCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
ghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUu
Y2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28u
dWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5j
b20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2ds
ZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xl
LmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdv
b2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0gg8qLmdvb2dsZWFwaXMu
Y26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVvLmNvbYINKi5n
c3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUuY29tghYqLnlv
dXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVj
YXRpb24uY29tggsqLnl0aW1nLmNvbYILYW5kcm9pZC5jb22CBGcuY2+CBmdvby5n
bIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1l
cmNlLmNvbYIKdXJjaGluLmNvbYIIeW91dHUuYmWCC3lvdXR1YmUuY29tghR5b3V0
dWJlZWR1Y2F0aW9uLmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0
dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6
Ly9jbGllbnRzMS5nb29nbGUuY29tL29jc3AwHQYDVR0OBBYEFIMWsVdJifC2GE+L
sI8GP+LoQ6BgMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWB
trtiGrpagS8wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMDAGA1UdHwQpMCcwJaAj
oCGGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQEF
BQADggEBADiJO0/BuDkyS5Ki2HOeHi2Hm+t7ULpW03UdTbQlqAwjhqudY++nBMjA
v0EIbEIJKrPHeedd3BAkWaSWVGDEUgJalvJ18h1EDGZVo+5MH2WabAMPlREmK+j7
5qd8E909hSM9lmdUWZ3c1lv2blIutKq9nenSChmq2m5yM11nODXHj4Gez9MDemf1
wqBOkztQorO5jslKJXup1ZsMpjko/ZGQxb2eABg6/aF1GTFLSI1llqCB12IogHHs
GMFH6rZKoSctd4+98x4qoUjQR56Rws0cK5Y9HQciL4wYC28XS57i+HTgqfa5qmVz
lv6su2jEZsHnFYYDfZ1wZEjzgd5fK5I=
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 4429 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 4BAFE5B7837B250D672F58EA7F457F76FD93043387CCC4875934150304F85DF5
Session-ID-ctx:
Master-Key: 57CCB72C3AB87C8ED25561CC523EAB5C8A4450E3E905A61FA822C9BFF8D468C478E52E18A06CCD97F06FA89893368337
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 8f c1 a1 ba 2f e0 02 bf-53 a9 79 87 d2 ae d4 be ..../...S.y.....
0010 - b7 5c f8 bc a1 69 b2 2f-d7 cb 3e b3 36 9c f5 b6 .\...i./..>.6...
0020 - 31 4d 63 93 17 ed 43 3b-bc 9a 83 44 49 1f 78 85 1Mc...C;...DI.x.
0030 - f1 33 11 da c2 ce bd 7c-80 67 c7 4e e1 c1 6b ff .3.....|.g.N..k.
0040 - 95 5f 24 ae bd 76 58 3e-12 de 14 33 33 38 f2 38 ._$..vX>...338.8
0050 - 71 37 77 99 8d 42 49 09-21 ac d9 5e 30 82 86 f1 q7w..BI.!..^0...
0060 - bc f8 a0 36 56 e5 72 f3-44 04 d3 81 d3 9f 65 ff ...6V.r.D.....e.
0070 - da a0 1f d8 6c a3 6e 03-9b 42 48 32 cc 4d e2 e1 ....l.n..BH2.M..
0080 - 08 21 1e 47 23 76 ee 14-22 b1 21 5a 84 52 d7 e1 .!.G#v..".!Z.R..
0090 - 6d 1c 6d fd m.m.
Start Time: 1389972014
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
答案 1 :(得分:2)
这对我有用:
openssl s_client -connect *<host>:<port>* -CApath */path/to/certs/*
当我尝试指定证书和密钥是什么时,我得到了相同的错误代码,所以我尝试了上面的命令而且它有效。只需将您的pem文件添加到目录并将-CApath指向它。
希望这有帮助。