本文介绍了无法理解 SSL 证书链验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我的应用使用 SSL 与服务器进行安全通信,但无法验证证书链.链条看起来像这样:

My app uses SSL to communicate securely with a server and it's having trouble verifying the certificate chain. The chain looks like this:

Entrust.net 安全服务器证书颁发机构 -> DigiCert 全球 CA -> *.ourdomain.com

Entrust.net Secure Server Certification Authority -> DigiCert Global CA -> *.ourdomain.com

我们正在使用从 Mozilla 提取的证书存储.它包含 Entrust.net 证书,但不包含 DigiCert Global CA 证书.

We are using a certificate store pulled from Mozilla. It contains the Entrust.net certificate, but not the DigiCert Global CA one.

我的理解是,中间权限不一定要信任,只要root权限是,但是验证失败:

My understanding is that an intermediate authority doesn't have to be trusted as long as the root authority is, but the verification fails:

% openssl verify -CAfile mozilla-root-certs.crt ourdomain.com.crt
error 20 at 0 depth lookup:unable to get local issuer certificate

那么我是否需要明确信任 DigiCert Global CA 才能通过验证?这似乎是错误的.但是你告诉我!

So do I need to explicitly trust the DigiCert Global CA in order for verification to pass? That seems wrong. But you tell me!

编辑:我现在明白证书文件需要预先可供 OpenSSL 使用.这样的工作:

EDIT: I now understand that the certificate file needs to be available to OpenSSL up front. Something like this works:

% openssl verify -CAfile mozilla-root-certs.crt -untrusted digicert.crt ourdomain.com.crt
ourdomain.com.crt: OK

这允许我提供一份 DigiCert CA 的副本,而无需明确表示我信任它",整个链仍需要验证.

This allows me to provide a copy of the DigiCert CA without explicitly saying "I trust it", the whole chain still needs to be verified.

但是,像 Firefox 这样的浏览器肯定不会总是附带它所需要的每一个证书的副本.总会有新的 CA,关键是使用根证书的安全性来确保所有中间 CA 都是有效的.对?那么, 是如何工作的呢?真的像看起来那么傻吗?

But surely browsers like Firefox won't always ship with a copy of every single certificate it'll ever need. There's always going to be new CAs and the point is to use the security of the root certificate to make sure all intermediate CAs are valid. Right? So how does this work? Is it really as silly as it looks?

推荐答案

中间证书必须安装在您的 Web 服务器以及您自己的域的证书上.上周我也遇到了同样的问题...... Firefox 似乎比其他浏览器更挑剔.

The intermediate certs have to be installed on your web servers as well as the certs for your own domain. I was having this same problem last week... Firefox seems to be more picky than the rest of the browsers about this.

这篇关于无法理解 SSL 证书链验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-01 19:50