您的位置: 首页  >  技术问答  >  SSL证书-浏览器中的证书路径与证书链文件不同

SSL证书-浏览器中的证书路径与证书链文件不同

分类: 技术问答 2022-04-17 20:09:18
问题描述:

我最近从Comodo购买了免费的SSL证书.它带有一个证书颁发机构捆绑文件,其中包含所有中间证书以及根证书.当我运行命令"openssl s_client -connect www.mydomain.com:443 -showcerts"时,它显示的证书路径如下所示:

I recently purchased a free SSL certificate from Comodo. It came with a certification authority bundle file that contains all of the intermediate certificates as well as the root certificate. When I run the command "openssl s_client -connect www.mydomain.com:443 -showcerts" it shows a certificate path that looks like this:

depth = 4 C = SE,O = AddTrust AB,OU = AddTrust外部TTP网络,CN = AddTrust外部CA根 验证返回:1

depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1

depth = 3 C =美国,ST = UT,L =盐湖城,O = USERTRUST网络,OU = http ://www.usertrust.com ,CN = UTN-USERFirst-Hardware 验证返回:1

depth=3 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware verify return:1

depth = 2 C = GB,ST =大曼彻斯特,L =索尔福德,O = COMODO CA Limited,CN = COMODO证书颁发机构 验证返回:1

depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO Certification Authority verify return:1

depth = 1 C = GB,ST =大曼彻斯特,L =索尔福德,O = COMODO CA Limited,CN = EssentialSSL CA 验证返回:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = EssentialSSL CA verify return:1

depth = 0 OU =已验证域控制,OU =免费SSL,CN = www.mydomain.com 验证返回:1

depth=0 OU = Domain Control Validated, OU = Free SSL, CN = www.mydomain.com verify return:1

但是,当我在任何浏览器中访问www.mydomain.com并查看服务器提供的证书时,它显示以下证书路径(来自IE9证书窗口):

However, when I go to www.mydomain.com in any browser and look at the certificate presented by the server, it shows the following certificate path (taken from IE9 certificate window):

  1. COMODO
  2. EssentialSSL CA
  3. www.mydomain.com

请注意,证书链中的证书较少(openssl命令中2到4的深度),并且根证书是COMODO证书,而不是AddTrust外部CA Root证书.有人可以解释为什么浏览器显示的路径不同于openssl命令吗?

Notice that there are fewer certificates in the chain (depth of 2 versus 4 from the openssl command), and that the root certificate is the COMODO certificate as opposed to the AddTrust External CA Root certificate. Can someone explain why the browser shows a different path than the openssl command?

请注意,在两种情况下,服务器提供的证书链都会通过验证(从openssl验证结果0,浏览器中没有警告).

Note, in both cases the certificate chain presented by the server passes validation (verify result 0 from openssl, no warnings in the browser).

IE9在其信任链中将comodo ca作为受信任的权威,因此不显示comodo ca的签名者.

IE9 has the comodo ca as a trusted authority in its trust chain, and therefore doesn't show the signers of the comodo ca.

OpenSSL s_client -showcerts显示整个证书链.

OpenSSL s_client -showcerts shows the whole certificate chain.

相关推荐