无法理解 SSL 证书链验证
我的应用程序使用 SSL 与服务器安全通信,但在验证证书链时遇到问题。该链如下所示:
Entrust.net 安全服务器证书颁发机构 -> DigiCert 全球 CA -> *.ourdomain.com
我们正在使用从 Mozilla 提取的证书存储。它包含 Entrust.net 证书,但不包含 DigiCert Global CA 证书。
我的理解是,中间机构不必像根机构一样值得信任,但验证失败:
% openssl verify -CAfile mozilla-root-certs.crt ourdomain.com.crt
error 20 at 0 depth lookup:unable to get local issuer certificate
那么我是否需要明确信任DigiCert Global CA才能使验证通过?这似乎是错误的。但你告诉我!
编辑:我现在了解到证书文件需要预先可供 OpenSSL 使用。像这样的事情是有效的:
% openssl verify -CAfile mozilla-root-certs.crt -untrusted digicert.crt ourdomain.com.crt
ourdomain.com.crt: OK
这允许我提供 DigiCert CA 的副本,而无需明确地说“我信任它”,整个链仍然需要验证。
但像 Firefox 这样的浏览器肯定不会总是附带它所需的每个证书的副本。总会有新的 CA,重点是使用根证书的安全性来确保所有中间 CA 都是有效的。正确的?那么它是如何工作的呢?真的像看上去那么傻吗?
My app uses SSL to communicate securely with a server and it's having trouble verifying the certificate chain. The chain looks like this:
Entrust.net Secure Server Certification Authority -> DigiCert Global CA -> *.ourdomain.com
We are using a certificate store pulled from Mozilla. It contains the Entrust.net certificate, but not the DigiCert Global CA one.
My understanding is that an intermediate authority doesn't have to be trusted as long as the root authority is, but the verification fails:
% openssl verify -CAfile mozilla-root-certs.crt ourdomain.com.crt
error 20 at 0 depth lookup:unable to get local issuer certificate
So do I need to explicitly trust the DigiCert Global CA in order for verification to pass? That seems wrong. But you tell me!
EDIT: I now understand that the certificate file needs to be available to OpenSSL up front. Something like this works:
% openssl verify -CAfile mozilla-root-certs.crt -untrusted digicert.crt ourdomain.com.crt
ourdomain.com.crt: OK
This allows me to provide a copy of the DigiCert CA without explicitly saying "I trust it", the whole chain still needs to be verified.
But surely browsers like Firefox won't always ship with a copy of every single certificate it'll ever need. There's always going to be new CAs and the point is to use the security of the root certificate to make sure all intermediate CAs are valid. Right? So how does this work? Is it really as silly as it looks?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
中间证书以及您自己域的证书必须安装在您的 Web 服务器上。上周我也遇到了同样的问题... Firefox 似乎比其他浏览器对此更加挑剔。
The intermediate certs have to be installed on your web servers as well as the certs for your own domain. I was having this same problem last week... Firefox seems to be more picky than the rest of the browsers about this.
这是验证来自 Web 服务器的证书的正确方法
当客户端连接到服务器后,它从服务器获取服务器证书和中间证书。然后,客户端从服务器证书、中间证书到它信任的 CA ROOT 证书之一建立信任链。 ROOT 证书始终是自签名的 - 所以这就是链的终点。
这是使用 openssl 测试 Web 服务器证书的简单命令
在虚拟主机的情况下,在同一 IP:PORT 上提供多个证书,可以使用
-servername启用服务器名称指示 (SNI) ; 。否则,将发送默认证书。Here is correct way to verify a certficate coming from a web server
When a client connected to a server, it gets the server certificate and intermediate certificate(s) from the server. The client then then builds a chain of trust from the server certificate, through the intermediate certificate(s) to one of the CA ROOT certificates it trusts. ROOT Certificates are always self-signed - so that is where the chain stops.
Here is a simple command to test a web server certificate using openssl
In the case of virtual hosting, where multiple certificates are served on the same IP:PORT, server name indication (SNI) can be enabled using
-servername <FQDN>. Otherwise, the default certificate will be sent.