我正在尝试创建一个自签名的根证书,中间证书和最终用户证书,但是由于某种原因,我只能验证中间证书,所以整个链失败。
这是我用来创建证书的命令:
mkdir root interm end
# Root CA:
openssl ecparam -out root/privatekey.pem -name prime256v1 -genkey
openssl req -new -x509 -days 365 -key root/privatekey.pem -out root/certificate.pem -sha256
# Intermediate
openssl ecparam -out interm/privatekey.pem -name prime256v1 -genkey
openssl req -new -key interm/privatekey.pem -out interm/request.csr -sha256
openssl x509 -req -days 365 -in interm/request.csr -CA root/certificate.pem -CAkey root/privatekey.pem -out interm/certificate.pem -sha256 -CAcreateserial
# End user
openssl ecparam -out end/privatekey.pem -name prime256v1 -genkey
openssl req -new -key end/privatekey.pem -out end/request.csr -sha256
openssl x509 -req -days 365 -in end/request.csr -CA interm/certificate.pem -CAkey interm/privatekey.pem -out end/certificate.pem -sha256 -CAcreateserial
现在,使用根证书对中间证书进行的验证非常顺利:
openssl verify -CAfile root/certificate.pem interm/certificate.pem
interm/certificate.pem: OK
但是当我尝试验证最终证书时,它会失败:
openssl verify -CAfile root/certificate.pem -untrusted interm/certificate.pem end/certificate.pem
error 24 at 1 depth lookup: invalid CA certificate
error end/certificate.pem: verification failed
我创建证书错误吗?我尝试添加-verbose,但输出保持不变,不确定为什么说CA证书无效,它会自行验证:
openssl verify -CAfile root/certificate.pem root/certificate.pem
root/certificate.pem: OK
答案 0 :(得分:0)
您缺少的是中间证书必须标记为CA:TRUE
openssl x509 -noout -text -in cinterm/certificate.pem
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
为此,请创建一个包含以下内容的ca_intermediate.ext文件
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
然后运行
openssl x509 -req -extfile ca_intermediate.ext -extensions v3_intermediate_ca -days 365 -in end/request.csr -CA interm/certificate.pem -CAkey interm/privatekey.pem -out end/certificate.pem -sha256 -CAcreateserial