Openssl:0 深度查找时出现错误 20:无法获得本地颁发者证书
[英]Openssl: error 20 at 0 depth lookup:unable to get local issuer certificate
问题描述
I created 3 certificates using Python: rootca.crt, intermediateca.crt and server.crt.
我使用 Python 创建了 3 个证书:rootca.crt、intermediateca.crt 和 server.crt。 I used the rootca.crt to sign intermediateca.crt, which works as expected:我使用 rootca.crt 签署了 middleca.crt,它按预期工作:
openssl verify -CAfile rootca.crt intermediateca.crt
intermediateca.crt: OK
Then I signed the server.crt with the intermediate ca, but verification fails:然后我用中间的ca对server.crt进行了签名,但是验证失败:
openssl verify -CAfile rootca.crt -untrusted intermediateca.crt server.crt
server.crt: C = DE, ST = mein Bundesland, L = meine Stadt, O = meine Firma, CN = server.example.com, emailAddress = info@meine-firma.de
error 20 at 0 depth lookup:unable to get local issuer certificate
When I parse the certificates, the server.crt authority key identifier matches the intermediateca subject key identifier.当我解析证书时,server.crt 授权密钥标识符与中间主题密钥标识符相匹配。 Can anyone give me a hint what could be wrong?谁能给我一个提示可能是什么问题? If I generate the same certificates with the openssl command line tool it works.如果我使用 openssl 命令行工具生成相同的证书,它就可以工作。 The parsed content is identical, apart from the fact that the authority key identifier also contains a serial and a cn for the openssl generated certificate.除了授权密钥标识符还包含 openssl 生成的证书的序列号和 cn 之外,解析的内容是相同的。
1 个解决方案
解决方案1
1 已采纳 2020-09-10 13:29:30
The intermediate CA cannot be used to verify the server certificate because its subject name does not match the issuer name specified in the server certificate.中间 CA 不能用于验证服务器证书,因为其主题名称与服务器证书中指定的颁发者名称不匹配。
Let's have openssl dump the subject and issuer names.让我们让openssl转储主题和发行者名称。 The -xx_hash shows the hash that openssl uses to build up the certificate chain: -xx_hash显示了openssl用于构建证书链的哈希值:
$ openssl x509 -subject -subject_hash -noout -in rootca.crt
subject=C = DE, ST = mein Bundesland, L = meine Stadt, O = meine Firma, OU = meine Abteilung, CN = serviceserver.example.com, emailAddress = info@meine-firma.de
347e2056
$ openssl x509 -issuer -issuer_hash -noout -in intermediateca.crt
issuer=C = DE, ST = mein Bundesland, L = meine Stadt, O = meine Firma, OU = meine Abteilung, CN = serviceserver.example.com, emailAddress = info@meine-firma.de
347e2056
Great, the intermediate's Issuer name matches the root's Subject name.太好了,中间人的颁发者名称与根的主题名称相匹配。 That part of the chain works.链条的那部分起作用了。
$ openssl x509 -subject -subject_hash -noout -in intermediateca.crt
subject=C = DE, ST = mein Bundesland, L = meine Stadt, O = meine Firma, CN = serviceserver.example.com, emailAddress = info@meine-firma.de
c4dff14c
$ openssl x509 -issuer -issuer_hash -noout -in server.crt
issuer=C = DE, ST = mein Bundesland, L = meine Stadt, O = meine Firma, OU = meine Abteilung, CN = serviceserver.example.com, emailAddress = info@meine-firma.de
347e2056
Oops: the hash is different, so openssl cannot connect the intermediate CA to the server certificate .糟糕: hash 不同,所以 openssl 无法将中间 CA 连接到服务器证书。 The difference is that the intermediate's subject name contains a OU field whereas the server's issuer name does not.不同之处在于中间体的主题名称包含OU字段,而服务器的颁发者名称不包含。 openssl was correct when it told you that it could not find an issuer.当openssl告诉您找不到发行人时,它是正确的。
I'm not sure how you got it in this state, my guess would be some misconfiguration of the subject or issuer name.我不确定你是如何在这种状态下得到它的,我猜可能是主题或发行者名称的一些错误配置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.