使用 openssl 验证 x509 证书是否有效并由受信任的 CA 签名
在 shell 脚本中,我想使用 openssl 验证 x509 证书,以确保它有效并由我的一个根 CA 签名.我试过这个:
In a shell script I want to verify a x509 certificate with openssl to be sure that it is valid and signed by one of my root CAs. I tried this:
openssl verify -CAfile /path/to/CAfile mycert.pem
它有效,但对于自签名证书,我得到了输出:
It works but for a self signed certificate I get the output:
error 18 at 0 depth lookup:self signed certificate
OK
显示错误,但以 OK 结尾,状态代码为 0,因此我的脚本中没有错误.
The error is shown but it ends with OK and the status code is 0 so I don't get an error in my script.
我可以解析输出,但对于安全的生产环境来说,这不是一个健壮的代码.
I could parse the output but that's not a robust code for a secure production environment.
我需要一个在自签名证书上产生错误的命令.
I need a command that yields an error on self signed certificates.
编辑
% openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
% cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
适用于 openssl 1.1.1
works with openssl 1.1.1
使用您的代码、虚拟 CA 和虚拟自签名证书,我无法复制您的结果.请更新您的示例或包含 openssl 版本.
Using your code, a dummy CA and a dummy self-signed cert I cannot replicate your results. Please update your example or include the openssl version.
最后的输出行是 error: mycert.pem: verify failed 并且返回代码是 2 (echo $?),而不是返回 0 的 OK 消息代码.我还收到您收到的错误 18 自签名消息.我使用的是 openssl 1.1.1i.
Last output line is error: mycert.pem: verification failed and the return code is 2 (echo $?) as opposed to the OK message with a 0 return code. I also get the error 18 self-signed message you received. I am using openssl 1.1.1i.
错误 18 实际上是一个可靠的错误代码,在 openssl verify 手册页中记录为专门用于自签名证书的代码.
Error 18 is in fact, a robust error code and is documented in the openssl verify man page as the code specifically for self signed certificates.