证书层次结构仅显示中间CA而不显示根CA

时间:2016-07-14 21:00:00

标签: ssl openssl certificate ssl-certificate jks

我按照https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html链接创建了根CA和中间CA.中间CA由根CA签名。

当我检查中间CA(下面是输出)时,你可以发现发行者和主题是不同的(我的意思是根CA签署了中间证书)

openssl x509 -noout -text -in certs/intermediate.cert.pem  

Certificate:

Data:

    Version: 3 (0x2)
    Serial Number: 4096 (0x1000)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=IN, ST=Karnataka, L=JP Nager, O=XXX, OU=xxx, CN=abc/emailAddress=abc@xyz.com
    Validity
        Not Before: Jul 14 09:05:19 2016 GMT
        Not After : Jul 12 09:05:19 2026 GMT
    Subject: C=IN, ST=Karnataka, O=XXX, OU=xxx, CN=Ipad Intermidiate Certificate
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (4096 bit)
            Modulus (4096 bit):
                00:c6:44:d6:78:0d:f3:bc:69:8d:31:ce:00:01:8d:
                d4:1b:ee:de:96:16:13:00:1e:f6:0e:7b:00:35:f2:
                57:48:fc:fb:0c:38:9e:0e:d2:67:d0:b9:82:3d:28:
                29:94:0a:95:a2:e2:5e:88:e7:77:cf:23:a3:2d:8a:
                46:fa:d9:a7:c5:41:fc:b9:73:65:03:c1:98:8b:c3:
                0a:e8:dc:4b:c5:cb:2f:5b:97:7a:46:9d:85:74:ae:
                0c:c1:15:7d:58:c5:ea:7f:29:17:aa:e9:34:e9:f4:
                9e:50:bb:ce:f3:59:26:aa:63:cc:f7:d4:03:0b:20:
                83:10:a6:dc:d8:e0:6b:3b:ae:dd:14:20:ec:6a:93:
                5e:83:11:cd:4b:3d:e0:08:a5:fb:b0:27:e3:2e:86:
                45:1e:1c:d6:19:bd:8b:5d:fa:37:18:ad:fd:e2:ce:
                b0:39:8a:5c:5a:d0:1d:46:8b:74:22:35:c0:9f:e7:
                01:c7:0b:50:4f:ab:e2:01:90:3e:c5:d8:15:48:aa:
                fe:4c:96:5e:fb:3f:3a:69:4c:d9:22:2a:5e:4e:39:
                cc:75:0a:14:44:39:e6:5d:1b:f2:97:fc:a5:b1:c0:
                ac:a5:21:49:56:ad:55:e4:08:54:af:17:14:47:f1:
                47:03:4d:ac:c4:02:ae:5f:e8:d6:9c:fe:92:36:e3:
                cd:30:65:60:56:c8:6e:0c:5a:df:08:b9:63:2e:4a:
                d9:c3:af:20:32:81:7b:fa:0a:d6:0d:0c:5c:a0:36:
                9c:fd:0d:d3:64:29:f5:e5:2b:16:86:65:06:7c:fc:
                db:ed:e2:2b:02:5a:ae:53:63:30:48:59:6b:1d:3b:
                5e:68:6e:2b:90:92:df:73:d9:10:1a:73:d0:da:e3:
                4e:49:61:ea:ca:d9:b8:2d:4e:c5:26:e6:38:02:84:
                fb:80:8b:97:55:d1:c2:2d:30:29:0c:25:cb:a4:6b:
                d3:8d:c5:ec:40:76:5e:e5:8e:ed:4b:86:cb:c7:9b:
                d1:3a:89:f3:97:ff:e9:8f:a7:6b:8d:d2:ca:00:cd:
                f0:a7:3d:74:3b:6d:db:6c:d1:2c:f5:89:24:e8:6d:
                7d:fe:f6:56:8e:62:8b:02:a4:5e:27:20:50:18:99:
                c6:4a:38:70:8b:0a:bb:aa:16:b5:4d:54:29:29:46:
                44:dd:4d:53:cd:82:8f:97:8b:a8:6e:17:33:6f:15:
                16:08:31:e2:d7:bc:7e:46:a9:58:a9:2e:26:14:fb:
                7d:38:30:10:9e:5d:2c:8e:6d:bf:f5:03:ed:bf:37:
                b6:0c:9d:35:83:84:76:11:16:e2:14:f2:47:d5:7e:
                1b:a2:da:74:ff:e1:e0:b2:07:f5:9d:4c:08:fa:c1:
                5c:8f:1d
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Subject Key Identifier:
            D5:58:FE:D4:78:8A:93:77:28:65:04:D6:41:DB:A1:B0:FC:3E:37:F2
        X509v3 Authority Key Identifier:
            keyid:91:8E:47:44:08:F0:30:70:3A:9F:46:4C:C5:C9:D6:0C:17:D3:26:5D
        X509v3 Basic Constraints: critical
            CA:TRUE, pathlen:0
        X509v3 Key Usage: critical
            Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
    90:80:df:ee:2d:37:33:ea:02:fc:95:dc:e5:04:e9:c2:75:4c:
    85:39:a1:ee:86:94:13:6d:94:75:4d:35:be:2a:45:d6:50:7c:
    e9:ec:49:51:80:6c:c2:3e:5d:ea:e5:fb:c2:d5:1a:c4:ad:be:
    58:24:8a:c0:9f:8a:d3:df:5c:02:94:bb:e5:c0:cf:8c:76:7b:
    9c:24:b2:af:37:fe:a2:a8:e3:6c:9b:bc:7b:2f:88:f0:99:1e:
    3e:b7:40:76:c4:64:41:b8:70:67:09:ce:51:f2:16:b8:af:23:

根ca证书的输出

openssl x509 -noout -text -in ca/certs/ca.cert.pem

Certificate: 

Data:
        Version:3 (0x2)
        Serial Number:d1:4f:18:94:21:32:f1:c2
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IN, ST=Karnataka, L=JP Nager, O=XXX, OU=xxx, CN=abc/emailAddress=abc@xyz.com
        Validity
            Not Before: Jul 14 07:07:30 2016 GMT
            Not After : Jul  9 07:07:30 2036 GMT
        Subject: C=IN, ST=Karnataka, L=JP Nager, O=XXX, OU=xxx, CN=abc/emailAddress=abc@xyz.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:d4:f5:ac:3b:8f:85:d6:2b:e9:fc:d8:5c:7b:99:
                    85:70:2d:96:c3:fc:5c:25:79:07:a0:62:f6:2e:aa:
                    8a:5f:62:18:2c:3d:c1:18:9c:8d:46:d1:c1:da:7f:
                    7a:92:02:bc:31:86:d6:e2:19:f3:b1:6f:39:73:1d:
                    48:df:3a:a4:a3:8e:3a:b2:1a:46:50:6e:e5:af:b3:
                    a2:c2:eb:c7:73:70:2b:06:02:e8:2b:65:72:76:90:
                    1e:22:54:42:07:c6:2a:d5:4e:aa:4d:f8:29:b6:88:
                    e7:66:c8:e2:06:30:c1:05:4a:a1:5a:ec:90:d0:e2:
                    1a:15:69:d7:18:89:9a:d1:21:43:62:46:00:68:fd:
                    cd:bb:21:be:1b:4d:3e:7c:14:8b:b1:10:e5:c4:f8:
                    82:13:a8:b8:be:d8:99:ae:14:d8:46:c6:cb:e5:1a:
                    77:e7:a5:e4:b4:0f:64:14:72:91:d3:b0:33:98:26:
                    d4:22:ac:84:f0:57:c7:b6:ff:f2:18:14:e9:a3:d3:
                    ce:46:ac:ee:a9:3b:a3:a8:75:c6:62:90:29:3f:fc:
                    91:e8:e9:d4:86:2a:50:53:fd:ff:44:5e:32:4a:40:
                    67:84:64:b5:c4:dd:51:74:0c:d6:93:2d:f9:c3:34:
                    66:4c:62:b4:cf:5d:ee:d7:2a:ce:22:15:90:56:ac:
                    e0:95:1e:81:50:31:51:8c:70:26:ae:34:55:eb:e0:
                    58:14:8a:91:b5:79:aa:b5:51:3a:14:99:40:8d:68:
                    5f:ab:63:7d:bb:9a:c7:ae:66:64:3c:b0:2b:36:90:
                    43:b7:7c:d8:42:a2:33:95:6f:c4:cf:7d:1c:7c:87:
                    af:d6:4d:50:73:91:ce:90:69:d4:51:3d:f3:d3:07:
                    92:fa:b0:d7:b0:e6:59:db:b8:de:7f:6b:7f:4b:4c:
                    71:69:49:a5:83:72:67:95:d6:2b:e5:d9:d3:e9:12:
                    43:c2:68:1b:37:85:3f:a7:2e:3e:d0:78:06:29:85:
                    31:f8:1e:2e:43:d5:ae:55:3c:80:38:1c:e0:84:61:
                    37:84:b4:8e:e8:30:48:da:2a:95:2b:0c:6c:2c:15:
                    ef:96:af:12:f9:4c:c2:96:f8:86:c4:d5:db:cc:6b:
                    4c:92:ca:39:ed:b6:72:e5:d2:78:24:38:c1:e1:b6:
                    bd:f0:7c:50:e6:c8:ec:ca:f4:ae:a6:52:0a:57:3b:
                    87:f8:1c:c1:f1:22:28:5a:5b:f1:c9:3b:68:70:32:
                    6c:e3:96:60:eb:70:64:79:38:d9:93:42:d9:38:2c:
                    be:42:02:23:6d:09:ab:56:6b:fd:5c:c8:dc:1e:de:
                    6f:fe:a7:69:2e:65:61:1d:54:6b:d5:6b:93:ac:89:
                    a3:20:47
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                91:8E:47:44:08:F0:30:70:3A:9F:46:4C:C5:C9:D6:0C:17:D3:26:5D
            X509v3 Authority Key Identifier:
               keyid:91:8E:47:44:08:F0:30:70:3A:9F:46:4C:C5:C9:D6:0C:17:D3:26:5D
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
        20:b7:52:b6:0d:12:34:26:fe:b6:f3:20:7e:83:71:2c:a9:48:
        4e:08:6f:87:a7:9d:89:38:a7:c1:f2:dd:f9:a3:54:87:24:09:
        99:28:d8:5e:8a:a5:65:3d:1c:ee:82:68:cb:6c:5d:9d:51:3a:
        06:ab:ea:b2:10:7c:6e:d8:f7:a5:1e:ed:19:18:2b:d0:36:93:
        f5:e6:c1:00:b5:9c:b5:61:c9:13:52:6b:59:f7:da:ae:9a:c4:
        ad:cb:6b:f4:07:22:45:69:c4:9c:a7:50:b7:47:4b:bc:52:73:
        e9:7a:aa:8c:6c:ec:0f:ba:86:93:48:50:d3:32:4e:dc:df:96:
        20:41:e0:47:c0:d4:cb:c2:54:9e:21:54:36:77:df:69:e3:0d:
        3e:19:ee:a3:a4:d7:3d:d0:bb:63:a6:80:27:57:54:84:20:17:
        79:3e:c8:19:4b:7e:1d:d4:cc:75:a2:9e:48:a6:8f:23:c2:a5:
        a0:30:7d:a6:83:e6:14:9a:0e:91:58:de:71:46:0b:d2:ee:27:
        d7:61:31:f9:2e:f7:c2:fa:19:76:21:a0:6a:46:b0:34:1f:25:
        f0:ef:7f:b7:12:11:46:ec:28:de:b8:a2:f5:4e:ab:6d:a6:eb:
        2e:77:f5:74:e9:b0:c0:58:99:c9:c8:97:8a:92:1a:95:d1:21:
        9a:42:b5:df:f5:df:34:82:a8:2d:9d:41:4b:56:73:4f:84:dd:
        fa:0d:b7:6a:9a:0f:e7:09:7a:0d:b7:d8:6e:97:a5:0e:bc:49:
        6a:aa:7e:87:05:f2:73:00:5a:7b:ec:f5:2a:0f:04:c8:72:40:
        24:d1:29:1d:d6:a9:ab:2c:09:4c:3c:9d:7e:a3:3e:c5:49:04:
        71:8c:88:10:c7:dd:f7:9b:05:6f:e5:bf:e1:de:d1:b4:59:a8:
        4c:ef:37:30:d2:71:fd:a6:7c:d6:88:6e:bc:73:ed:99:7e:0e:
        ff:04:4b:52:e9:30:44:36:db:7e:0d:31:86:13:95:64:14:b4:
        44:95:0a:c4:6f:13:06:c8:07:a4:13:fe:f8:eb:5b:27:44:b0:
        26:71:97:b5:48:ba:73:1a:f4:53:65:bd:bd:cd:d5:5f:9b:64:
        a8:ab:71:d0:9d:ad:a8:a0:fb:8f:a7:37:1d:f7:62:3e:a0:69:
        7c:25:4a:fb:5d:3f:81:9f:7b:2a:40:0b:35:90:5b:47:8d:55:
        36:c7:0f:8c:cb:53:62:f1:ae:5f:13:74:52:eb:dc:21:01:8f:
        c6:6e:35:25:ae:2a:d1:60:9e:98:51:ca:2e:b8:0c:3c:00:db:
        7c:a2:82:b2:97:71:99:78:77:84:8d:91:8e:de:5b:80:61:99:
        70:c5:56:3f:12:e8:ff:e0**

现在,当我访问具有由中间CA签名的证书的Web服务器时,浏览器会抛出错误,说明证书无效,证书层次结构中的原因是根CA信息不存在。

如果我遗漏了任何东西,请告诉我。

0 个答案:

没有答案