如何检查CA根和中间链?

时间:2014-01-20 14:38:42

标签: ssl ca

例如 - 让我们使用包含 Comodo CA root 证书的jks,几个中间证书和自己的服务器签名证书:

 # keytool -list -keystore akira.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 5 entries

comodoutnsgcca, Jan 16, 2014, trustedCertEntry,
Certificate fingerprint (MD5): C7:1E:D8:79:91:4C:01:AC:ED:ED:00:30:4C:47:F0:E4
akira, Jan 16, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): A6:90:2D:8A:0E:4B:A3:0A:B5:50:9A:E3:F9:B8:E5:AC
essentialsslca_2, Jan 16, 2014, trustedCertEntry,
Certificate fingerprint (MD5): B5:1A:6D:2D:44:CC:72:D6:C6:2A:1B:97:5A:18:3D:91
utnaddtrust, Jan 16, 2014, trustedCertEntry,
Certificate fingerprint (MD5): 55:07:0F:1F:9A:E5:EA:21:61:F3:72:2B:8B:41:7F:27
addtrustexternalcaroot, Jan 16, 2014, trustedCertEntry,
Certificate fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F

如何查看确切查看证书的条目 - 它是否需要链中的其他证书?

如果我使用-list选项运行-v,我会看到很多信息,例如"Extensions""#1: ObjectId"等等。

那么 - 哪一行描述了依赖关系?

1 个答案:

答案 0 :(得分:0)

所以,这是一个答案:

# openssl s_client -connect localhost:8443
CONNECTED(00000003)
depth=4 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Hosted by LeaderTelecom Ltd./OU=Free     SSL/CN=akira.setevoy.kiev.ua
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
 3 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 4 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

这是完整链 - 从本地签名证书(CN=akira.setevoy.kiev.ua)到根CA - (CN=AddTrust External CA Root)。

s此处为“subject” - 证书的“名称”,iissuer - 颁发此证书。

因此,Root名称为AddTrust External CA Root,由AddTrust External CA Root发布。

其他方式 - 使用SSL Checker等在线工具。

相关问题
最新问题