难以理解SSL证书链验证

本文介绍了难以理解SSL证书链验证的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我的应用程序使用SSL与服务器进行安全通信，并且无法验证证书链.链看起来像这样:

My app uses SSL to communicate securely with a server and it's having trouble verifying the certificate chain. The chain looks like this:

Entrust.net安全服务器证书颁发机构-> DigiCert全球CA-> * .ourdomain.com

Entrust.net Secure Server Certification Authority -> DigiCert Global CA -> *.ourdomain.com

我们正在使用从Mozilla提取的证书存储.它包含Entrust.net证书，但不包含DigiCert Global CA证书.

We are using a certificate store pulled from Mozilla. It contains the Entrust.net certificate, but not the DigiCert Global CA one.

我的理解是，只要具有根权限，就不必信任中间权限，但是验证失败:

My understanding is that an intermediate authority doesn't have to be trusted as long as the root authority is, but the verification fails:

% openssl verify -CAfile mozilla-root-certs.crt ourdomain.com.crt
error 20 at 0 depth lookup:unable to get local issuer certificate

那么我是否需要明确信任DigiCert Global CA才能通过验证?好像错了但是你告诉我！

So do I need to explicitly trust the DigiCert Global CA in order for verification to pass? That seems wrong. But you tell me!

编辑:我现在知道证书文件需要预先可供OpenSSL使用.像这样的作品:

EDIT: I now understand that the certificate file needs to be available to OpenSSL up front. Something like this works:

% openssl verify -CAfile mozilla-root-certs.crt -untrusted digicert.crt ourdomain.com.crt
ourdomain.com.crt: OK

这使我可以提供DigiCert CA的副本，而无需明确地说我信任它"，整个链条仍然需要验证.

This allows me to provide a copy of the DigiCert CA without explicitly saying "I trust it", the whole chain still needs to be verified.

但是，可以肯定的是，像Firefox这样的浏览器并不会总是附带它所需要的每个证书的副本.总是会有新的CA，关键是要使用根证书的安全性来确保所有中间CA有效.正确的?那么是如何工作的?真的看起来很傻吗?

But surely browsers like Firefox won't always ship with a copy of every single certificate it'll ever need. There's always going to be new CAs and the point is to use the security of the root certificate to make sure all intermediate CAs are valid. Right? So how does this work? Is it really as silly as it looks?

the

难以理解SSL证书链验证

问题描述

推荐答案