stackoom
  简体   繁体   中英

How to verify certificate chain with openssl

 原文  2015-01-22 02:33:17       ssl/ openssl

Question

I am trying to verify a certificate file with OpenSSL. Can you explain me why s_client connection succeeds, but verify file with the same certificate chain fails? How can I verify the file?

Note I compiled OpenSSL 1.0.1k myself, it shouldn't be using any distro-specific config. And I provided the same CAfile to both commands. 

$ openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt -connect www.google.com:443
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
    ...
    Verify return code: 0 (ok)
---

If I run it with -showcerts argument, it outputs all three certificates sent from server. I concatenated them into file google.pem . But the chain can't be verified. See: 

$ openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.crt google.pem
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
google.pem: C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
error 20 at 0 depth lookup:unable to get local issuer certificate

Applying a patch suggested on https://stackoverflow.com/a/27606964/1823988 doesn't help.

1 answers

solution1
 3 ACCPTED  2015-01-22 04:21:45

I found it. openssl verify doesn't expect certificate file to contain its chain. Chain needs to be passed with -untrusted argument. It works with the same file, trust is still determined by finding a trusted root in -CAfile . 

openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.crt -untrusted google.pem google.pem

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Verify certificate chain against CRL with openssl How to verify DER certificate with openssl? Openssl Certificate Chain OpenSSL generate certificate chain SSL Certificate Chain differs; how to verify? Verify server certificate OpenSSL Why does openssl verify fail with a certificate chain file while it succeeds with the untrusted parameter? Unable to `openssl verify' letsencrypt certificate Unable to openssl verify SSL certificate openssl verify not working with GeoTrust Certificate
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM