我的叶证书真的无效,还是我错误地使用了 `openssl verify`?
Is my leaf certificate truly invalid, or am I using `openssl verify` incorrectly?
我 认为 我正确地创建了我的叶证书 (device.cert.pem),但它没有正确地使用我的软件进行验证。因此,在我进一步调试我的软件之前,我尝试在命令行上使用 OpenSSL 来验证所述证书。
链是:根 (CN=Halo HSM CA) 签署签署者 (CN=Halo Signing Server 0003) 签署设备 (CN=Halo)。
以下是我在命令行上调用 OpenSSL 的方式:
$ openssl verify -show_chain -trusted <path>/devel_root.cert.pem signing_server.curly-0003.cert.pem device.cert.pem
signing_server.curly-0003.cert.pem: OK
Chain:
depth=0: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo Signing Server 0003 (untrusted)
depth=1: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo HSM CA
C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo
error 20 at 0 depth lookup: unable to get local issuer certificate
error device.cert.pem: verification failed
根证书:
$ openssl x509 -in <path>/devel_root.cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:81:59:83:f3:e5:3d:ff:70:ed:92:b4:48:9a:d3:64:5a:bf:1c:82
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo HSM CA
Validity
Not Before: Sep 6 22:09:48 2019 GMT
Not After : Oct 6 22:09:48 2019 GMT
Subject: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo HSM CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a3:8a:fd:87:aa:36:67:5c:e0:f7:49:5c:cd:4e:
86:96:53:9a:5a:9f:23:a3:3b:67:e2:76:87:e6:b6:
ab:ea:fc:2f:46:24:d7:7a:ce:ee:76:da:42:b4:e6:
a4:8b:48:d4:c7:59:cc:01:62:08:37:3f:ec:30:55:
76:3d:19:7b:c2
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
E0:1D:B4:40:9A:BA:F3:3F:ED:AC:6B:33:F4:8D:60:CE:C3:05:89:EA
X509v3 Authority Key Identifier:
keyid:E0:1D:B4:40:9A:BA:F3:3F:ED:AC:6B:33:F4:8D:60:CE:C3:05:89:EA
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:2b:48:6e:f2:ec:76:ad:88:85:52:74:fe:45:c8:
93:7e:bc:4c:b6:d8:37:ff:26:fa:05:91:2c:13:a6:7c:e3:cc:
02:20:61:7c:e1:23:8d:c6:93:b5:4e:c8:4b:46:8e:02:1f:67:
04:82:a6:b0:98:b5:4b:09:7d:05:0c:aa:22:b2:16:01
-----BEGIN CERTIFICATE-----
MIICLjCCAdWgAwIBAgIUToFZg/PlPf9w7ZK0SJrTZFq/HIIwCgYIKoZIzj0EAwIw
ZTELMAkGA1UEBhMCVVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTENMAsGA1UEBwwE
WW9yazEaMBgGA1UECgwRUmVkIExpb24gQ29udHJvbHMxFDASBgNVBAMMC0hhbG8g
SFNNIENBMB4XDTE5MDkwNjIyMDk0OFoXDTE5MTAwNjIyMDk0OFowZTELMAkGA1UE
BhMCVVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTENMAsGA1UEBwwEWW9yazEaMBgG
A1UECgwRUmVkIExpb24gQ29udHJvbHMxFDASBgNVBAMMC0hhbG8gSFNNIENBMFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEo4r9h6o2Z1zg90lczU6GllOaWp8joztn
4naH5rar6vwvRiTXes7udtpCtOaki0jUx1nMAWIINz/sMFV2PRl7wqNjMGEwHQYD
VR0OBBYEFOAdtECauvM/7axrM/SNYM7DBYnqMB8GA1UdIwQYMBaAFOAdtECauvM/
7axrM/SNYM7DBYnqMBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMAoG
CCqGSM49BAMCA0cAMEQCICtIbvLsdq2IhVJ0/kXIk368TLbYN/8m+gWRLBOmfOPM
AiBhfOEjjcaTtU7IS0aOAh9nBIKmsJi1Swl9BQyqIrIWAQ==
-----END CERTIFICATE-----
以及签名证书
$ openssl x509 -in signing_server.curly-0003.cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:3a:0c:d6:4d:64:d7:15:19:ee:f2:05:1b:99:0f:74
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo HSM CA
Validity
Not Before: Sep 10 19:00:00 2019 GMT
Not After : Dec 31 23:59:59 9999 GMT
Subject: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo Signing Server 0003
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:14:df:32:ce:4f:a6:4d:9c:08:7d:35:d6:57:1a:
b6:95:07:7c:5e:72:d1:68:5a:ba:9e:28:47:62:fa:
ee:3a:04:19:03:86:7e:41:7b:8b:7d:33:8a:6f:3f:
88:27:6c:89:fc:9a:cd:c5:26:72:53:cc:92:b4:41:
5e:ad:c2:c0:e6
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
57:55:32:18:99:54:20:30:1C:73:6F:08:46:0C:C9:86:EC:F6:E8:DB
X509v3 Authority Key Identifier:
keyid:E0:1D:B4:40:9A:BA:F3:3F:ED:AC:6B:33:F4:8D:60:CE:C3:05:89:EA
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:73:f5:44:7b:be:b1:62:c5:89:28:f4:94:5a:85:
f3:c1:67:60:c9:4a:63:f2:f5:4b:5d:f1:1a:26:89:5d:e2:04:
02:21:00:b7:14:5f:30:e8:b9:24:4b:0f:73:9b:94:3c:a0:25:
de:35:59:5d:c1:fd:af:76:25:81:13:0d:02:d8:95:aa:ef
-----BEGIN CERTIFICATE-----
MIICPTCCAeOgAwIBAgIQTjoM1k1k1xUZ7vIFG5kPdDAKBggqhkjOPQQDAjBlMQsw
CQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMQ0wCwYDVQQHDARZb3Jr
MRowGAYDVQQKDBFSZWQgTGlvbiBDb250cm9sczEUMBIGA1UEAwwLSGFsbyBIU00g
Q0EwIBcNMTkwOTEwMTkwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMHIxCzAJBgNVBAYT
AlVTMRUwEwYDVQQIDAxQZW5uc3lsdmFuaWExDTALBgNVBAcMBFlvcmsxGjAYBgNV
BAoMEVJlZCBMaW9uIENvbnRyb2xzMSEwHwYDVQQDDBhIYWxvIFNpZ25pbmcgU2Vy
dmVyIDAwMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQU3zLOT6ZNnAh9NdZX
GraVB3xectFoWrqeKEdi+u46BBkDhn5Be4t9M4pvP4gnbIn8ms3FJnJTzJK0QV6t
wsDmo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNV
HQ4EFgQUV1UyGJlUIDAcc28IRgzJhuz26NswHwYDVR0jBBgwFoAU4B20QJq68z/t
rGsz9I1gzsMFieowCgYIKoZIzj0EAwIDSAAwRQIgc/VEe76xYsWJKPSUWoXzwWdg
yUpj8vVLXfEaJold4gQCIQC3FF8w6LkkSw9zm5Q8oCXeNVldwf2vdiWBEw0C2JWq
7w==
-----END CERTIFICATE-----
和设备证书
$ openssl x509 -in device.cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
46:f1:16:55:c4:bb:56:27:ab:36:75:00:7e:bb:60:b1
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo Signing Server 0003
Validity
Not Before: Sep 10 19:00:00 2019 GMT
Not After : Dec 31 23:59:59 3000 GMT
Subject: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:2b:dd:82:0b:59:e3:d7:c1:04:ce:d4:9c:bb:74:
4c:94:5c:c7:9f:41:21:b8:24:96:39:9c:43:ea:dc:
6a:31:7b:58:54:ee:c2:a9:b7:0f:ea:34:ef:72:45:
cd:2e:2e:d7:1f:0a:74:eb:79:2d:e0:5d:16:ab:89:
5e:a3:52:99:7a
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:A7:A9:0B:27:B4:0D:28:84:26:F0:64:70:B5:27:DD:0B:05:4A:25:46
X509v3 Subject Key Identifier:
7E:0E:12:66:F0:CA:6C:D2:53:C3:0D:D3:40:6B:33:9A:91:C0:44:94
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:89:00:7e:64:03:1c:c3:8a:b1:17:30:ee:7b:
29:41:15:95:8e:1d:98:49:87:16:67:b8:4c:fc:d4:dc:d5:af:
c6:02:20:37:c8:09:39:ec:75:e2:4c:68:b5:b0:06:00:12:e8:
61:57:8b:57:ce:1e:7b:b4:81:cb:e2:c0:1f:de:b5:0c:cf
-----BEGIN CERTIFICATE-----
MIICEjCCAbigAwIBAgIQRvEWVcS7VierNnUAfrtgsTAKBggqhkjOPQQDAjByMQsw
CQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMQ0wCwYDVQQHDARZb3Jr
MRowGAYDVQQKDBFSZWQgTGlvbiBDb250cm9sczEhMB8GA1UEAwwYSGFsbyBTaWdu
aW5nIFNlcnZlciAwMDAzMCAXDTE5MDkxMDE5MDAwMFoYDzMwMDAxMjMxMjM1OTU5
WjBeMQswCQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMQ0wCwYDVQQH
DARZb3JrMRowGAYDVQQKDBFSZWQgTGlvbiBDb250cm9sczENMAsGA1UEAwwESGFs
bzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCvdggtZ49fBBM7UnLt0TJRcx59B
IbgkljmcQ+rcajF7WFTuwqm3D+o073JFzS4u1x8KdOt5LeBdFquJXqNSmXqjQjBA
MB8GA1UdIwQYMBaAFKepCye0DSiEJvBkcLUn3QsFSiVGMB0GA1UdDgQWBBR+DhJm
8Mps0lPDDdNAazOakcBElDAKBggqhkjOPQQDAgNIADBFAiEAiQB+ZAMcw4qxFzDu
eylBFZWOHZhJhxZnuEz81NzVr8YCIDfICTnsdeJMaLWwBgAS6GFXi1fOHnu0gcvi
wB/etQzP
-----END CERTIFICATE-----
我也试过将根证书和中间证书合并到一个文件中并使用 -CAfile 参数,但结果相同。
$ cp <path>/devel_root.cert.pem trusted_certs.txt
$ cat signing_server.curly-0003.cert.pem >> trusted_certs.txt
$ openssl verify -show_chain -CAfile trusted_certs.txt device.cert.pem
C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo
error 20 at 0 depth lookup: unable to get local issuer certificate
error device.cert.pem: verification failed
至少,您的设备证书具有您声称颁发的证书的错误授权密钥标识符。
发证 CA:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
57:55:32:18:99:54:20:30:1C:73:6F:08:46:0C:C9:86:EC:F6:E8:DB
57:55:32:...
设备证书:
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:A7:A9:0B:27:B4:0D:28:84:26:F0:64:70:B5:27:DD:0B:05:4A:25:46
A7:A9:0B:...
由于设备证书颁发机构密钥标识符与颁发 CA 主题密钥标识符不匹配,因此颁发 CA 证书被排除在候选者之外。
我 认为 我正确地创建了我的叶证书 (device.cert.pem),但它没有正确地使用我的软件进行验证。因此,在我进一步调试我的软件之前,我尝试在命令行上使用 OpenSSL 来验证所述证书。
链是:根 (CN=Halo HSM CA) 签署签署者 (CN=Halo Signing Server 0003) 签署设备 (CN=Halo)。
以下是我在命令行上调用 OpenSSL 的方式:
$ openssl verify -show_chain -trusted <path>/devel_root.cert.pem signing_server.curly-0003.cert.pem device.cert.pem
signing_server.curly-0003.cert.pem: OK
Chain:
depth=0: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo Signing Server 0003 (untrusted)
depth=1: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo HSM CA
C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo
error 20 at 0 depth lookup: unable to get local issuer certificate
error device.cert.pem: verification failed
根证书:
$ openssl x509 -in <path>/devel_root.cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:81:59:83:f3:e5:3d:ff:70:ed:92:b4:48:9a:d3:64:5a:bf:1c:82
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo HSM CA
Validity
Not Before: Sep 6 22:09:48 2019 GMT
Not After : Oct 6 22:09:48 2019 GMT
Subject: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo HSM CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a3:8a:fd:87:aa:36:67:5c:e0:f7:49:5c:cd:4e:
86:96:53:9a:5a:9f:23:a3:3b:67:e2:76:87:e6:b6:
ab:ea:fc:2f:46:24:d7:7a:ce:ee:76:da:42:b4:e6:
a4:8b:48:d4:c7:59:cc:01:62:08:37:3f:ec:30:55:
76:3d:19:7b:c2
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
E0:1D:B4:40:9A:BA:F3:3F:ED:AC:6B:33:F4:8D:60:CE:C3:05:89:EA
X509v3 Authority Key Identifier:
keyid:E0:1D:B4:40:9A:BA:F3:3F:ED:AC:6B:33:F4:8D:60:CE:C3:05:89:EA
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:2b:48:6e:f2:ec:76:ad:88:85:52:74:fe:45:c8:
93:7e:bc:4c:b6:d8:37:ff:26:fa:05:91:2c:13:a6:7c:e3:cc:
02:20:61:7c:e1:23:8d:c6:93:b5:4e:c8:4b:46:8e:02:1f:67:
04:82:a6:b0:98:b5:4b:09:7d:05:0c:aa:22:b2:16:01
-----BEGIN CERTIFICATE-----
MIICLjCCAdWgAwIBAgIUToFZg/PlPf9w7ZK0SJrTZFq/HIIwCgYIKoZIzj0EAwIw
ZTELMAkGA1UEBhMCVVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTENMAsGA1UEBwwE
WW9yazEaMBgGA1UECgwRUmVkIExpb24gQ29udHJvbHMxFDASBgNVBAMMC0hhbG8g
SFNNIENBMB4XDTE5MDkwNjIyMDk0OFoXDTE5MTAwNjIyMDk0OFowZTELMAkGA1UE
BhMCVVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTENMAsGA1UEBwwEWW9yazEaMBgG
A1UECgwRUmVkIExpb24gQ29udHJvbHMxFDASBgNVBAMMC0hhbG8gSFNNIENBMFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEo4r9h6o2Z1zg90lczU6GllOaWp8joztn
4naH5rar6vwvRiTXes7udtpCtOaki0jUx1nMAWIINz/sMFV2PRl7wqNjMGEwHQYD
VR0OBBYEFOAdtECauvM/7axrM/SNYM7DBYnqMB8GA1UdIwQYMBaAFOAdtECauvM/
7axrM/SNYM7DBYnqMBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMAoG
CCqGSM49BAMCA0cAMEQCICtIbvLsdq2IhVJ0/kXIk368TLbYN/8m+gWRLBOmfOPM
AiBhfOEjjcaTtU7IS0aOAh9nBIKmsJi1Swl9BQyqIrIWAQ==
-----END CERTIFICATE-----
以及签名证书
$ openssl x509 -in signing_server.curly-0003.cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:3a:0c:d6:4d:64:d7:15:19:ee:f2:05:1b:99:0f:74
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo HSM CA
Validity
Not Before: Sep 10 19:00:00 2019 GMT
Not After : Dec 31 23:59:59 9999 GMT
Subject: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo Signing Server 0003
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:14:df:32:ce:4f:a6:4d:9c:08:7d:35:d6:57:1a:
b6:95:07:7c:5e:72:d1:68:5a:ba:9e:28:47:62:fa:
ee:3a:04:19:03:86:7e:41:7b:8b:7d:33:8a:6f:3f:
88:27:6c:89:fc:9a:cd:c5:26:72:53:cc:92:b4:41:
5e:ad:c2:c0:e6
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
57:55:32:18:99:54:20:30:1C:73:6F:08:46:0C:C9:86:EC:F6:E8:DB
X509v3 Authority Key Identifier:
keyid:E0:1D:B4:40:9A:BA:F3:3F:ED:AC:6B:33:F4:8D:60:CE:C3:05:89:EA
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:73:f5:44:7b:be:b1:62:c5:89:28:f4:94:5a:85:
f3:c1:67:60:c9:4a:63:f2:f5:4b:5d:f1:1a:26:89:5d:e2:04:
02:21:00:b7:14:5f:30:e8:b9:24:4b:0f:73:9b:94:3c:a0:25:
de:35:59:5d:c1:fd:af:76:25:81:13:0d:02:d8:95:aa:ef
-----BEGIN CERTIFICATE-----
MIICPTCCAeOgAwIBAgIQTjoM1k1k1xUZ7vIFG5kPdDAKBggqhkjOPQQDAjBlMQsw
CQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMQ0wCwYDVQQHDARZb3Jr
MRowGAYDVQQKDBFSZWQgTGlvbiBDb250cm9sczEUMBIGA1UEAwwLSGFsbyBIU00g
Q0EwIBcNMTkwOTEwMTkwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMHIxCzAJBgNVBAYT
AlVTMRUwEwYDVQQIDAxQZW5uc3lsdmFuaWExDTALBgNVBAcMBFlvcmsxGjAYBgNV
BAoMEVJlZCBMaW9uIENvbnRyb2xzMSEwHwYDVQQDDBhIYWxvIFNpZ25pbmcgU2Vy
dmVyIDAwMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQU3zLOT6ZNnAh9NdZX
GraVB3xectFoWrqeKEdi+u46BBkDhn5Be4t9M4pvP4gnbIn8ms3FJnJTzJK0QV6t
wsDmo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNV
HQ4EFgQUV1UyGJlUIDAcc28IRgzJhuz26NswHwYDVR0jBBgwFoAU4B20QJq68z/t
rGsz9I1gzsMFieowCgYIKoZIzj0EAwIDSAAwRQIgc/VEe76xYsWJKPSUWoXzwWdg
yUpj8vVLXfEaJold4gQCIQC3FF8w6LkkSw9zm5Q8oCXeNVldwf2vdiWBEw0C2JWq
7w==
-----END CERTIFICATE-----
和设备证书
$ openssl x509 -in device.cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
46:f1:16:55:c4:bb:56:27:ab:36:75:00:7e:bb:60:b1
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo Signing Server 0003
Validity
Not Before: Sep 10 19:00:00 2019 GMT
Not After : Dec 31 23:59:59 3000 GMT
Subject: C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:2b:dd:82:0b:59:e3:d7:c1:04:ce:d4:9c:bb:74:
4c:94:5c:c7:9f:41:21:b8:24:96:39:9c:43:ea:dc:
6a:31:7b:58:54:ee:c2:a9:b7:0f:ea:34:ef:72:45:
cd:2e:2e:d7:1f:0a:74:eb:79:2d:e0:5d:16:ab:89:
5e:a3:52:99:7a
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:A7:A9:0B:27:B4:0D:28:84:26:F0:64:70:B5:27:DD:0B:05:4A:25:46
X509v3 Subject Key Identifier:
7E:0E:12:66:F0:CA:6C:D2:53:C3:0D:D3:40:6B:33:9A:91:C0:44:94
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:89:00:7e:64:03:1c:c3:8a:b1:17:30:ee:7b:
29:41:15:95:8e:1d:98:49:87:16:67:b8:4c:fc:d4:dc:d5:af:
c6:02:20:37:c8:09:39:ec:75:e2:4c:68:b5:b0:06:00:12:e8:
61:57:8b:57:ce:1e:7b:b4:81:cb:e2:c0:1f:de:b5:0c:cf
-----BEGIN CERTIFICATE-----
MIICEjCCAbigAwIBAgIQRvEWVcS7VierNnUAfrtgsTAKBggqhkjOPQQDAjByMQsw
CQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMQ0wCwYDVQQHDARZb3Jr
MRowGAYDVQQKDBFSZWQgTGlvbiBDb250cm9sczEhMB8GA1UEAwwYSGFsbyBTaWdu
aW5nIFNlcnZlciAwMDAzMCAXDTE5MDkxMDE5MDAwMFoYDzMwMDAxMjMxMjM1OTU5
WjBeMQswCQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMQ0wCwYDVQQH
DARZb3JrMRowGAYDVQQKDBFSZWQgTGlvbiBDb250cm9sczENMAsGA1UEAwwESGFs
bzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCvdggtZ49fBBM7UnLt0TJRcx59B
IbgkljmcQ+rcajF7WFTuwqm3D+o073JFzS4u1x8KdOt5LeBdFquJXqNSmXqjQjBA
MB8GA1UdIwQYMBaAFKepCye0DSiEJvBkcLUn3QsFSiVGMB0GA1UdDgQWBBR+DhJm
8Mps0lPDDdNAazOakcBElDAKBggqhkjOPQQDAgNIADBFAiEAiQB+ZAMcw4qxFzDu
eylBFZWOHZhJhxZnuEz81NzVr8YCIDfICTnsdeJMaLWwBgAS6GFXi1fOHnu0gcvi
wB/etQzP
-----END CERTIFICATE-----
我也试过将根证书和中间证书合并到一个文件中并使用 -CAfile 参数,但结果相同。
$ cp <path>/devel_root.cert.pem trusted_certs.txt
$ cat signing_server.curly-0003.cert.pem >> trusted_certs.txt
$ openssl verify -show_chain -CAfile trusted_certs.txt device.cert.pem
C = US, ST = Pennsylvania, L = York, O = Red Lion Controls, CN = Halo
error 20 at 0 depth lookup: unable to get local issuer certificate
error device.cert.pem: verification failed
至少,您的设备证书具有您声称颁发的证书的错误授权密钥标识符。
发证 CA:
X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 57:55:32:18:99:54:20:30:1C:73:6F:08:46:0C:C9:86:EC:F6:E8:DB
57:55:32:...
设备证书:
X509v3 extensions: X509v3 Authority Key Identifier: keyid:A7:A9:0B:27:B4:0D:28:84:26:F0:64:70:B5:27:DD:0B:05:4A:25:46
A7:A9:0B:...
由于设备证书颁发机构密钥标识符与颁发 CA 主题密钥标识符不匹配,因此颁发 CA 证书被排除在候选者之外。