openssl 的不同输出
Different output by openssl
我一直在问自己,如何根据选项(-text 或 -purpose)解释 openssl 关于证书的输出。有时我不清楚,例如,证书是否意味着 CA。
示例:
openssl x509 -in /path/to/cert1.pem -purpose -noout
Certificate purposes:
SSL client : Yes
SSL client CA : Yes (WARNING code=3)
SSL server : Yes
SSL server CA : Yes (WARNING code=3)
...
但是:
openssl x509 -in /path/to/cert1.pem -text -noout | grep CA
这显示没有结果。然而:
openssl x509 -in /path/to/cert2.pem -purpose -noout
Certificate purposes:
SSL client : Yes
SSL client CA : Yes
SSL server : Yes
SSL server CA : Yes
...
并且:
openssl x509 -in /path/to/cert2.pem -text -noout | grep CA
CA:TRUE
从您提供的有限输出来看,您的 cert1.pem 似乎是 X509v1 类型。因此,它的 -text 输出不包含显示在 grep 结果中的 X509v3 扩展 cert2.pem.
对这一假设的一些支持始于 cert1.pem 的输出,其中包括
SSL client CA : Yes (WARNING code=3)
关于此警告含义的 OpenSSL 文档是有限的,但通过检查其源代码,从 apps/x509.c 应用程序开始,追溯到 the following function:
static int check_ca(const X509 *x)
{
/* keyUsage if present should allow cert signing */
if (ku_reject(x, KU_KEY_CERT_SIGN))
return 0;
if (x->ex_flags & EXFLAG_BCONS) {
if (x->ex_flags & EXFLAG_CA)
return 1;
/* If basicConstraints says not a CA then say so */
else
return 0;
} else {
/* we support V1 roots for... uh, I don't really know why. */
if ((x->ex_flags & V1_ROOT) == V1_ROOT)
return 3;
/*
* If key usage present it must have certSign so tolerate it
*/
else if (x->ex_flags & EXFLAG_KUSAGE)
return 4;
/* Older certificates could have Netscape-specific CA types */
else if (x->ex_flags & EXFLAG_NSCERT && x->ex_nscert & NS_ANY_CA)
return 5;
/* can this still be regarded a CA certificate? I doubt it */
return 0;
}
}
代码值 3 出现的位置。
要验证是否属于这种情况,只需查看不同证书的文本转储中的第一行,如下所示:
Certificate:
Data:
Version: 1 (0x0)
回到 the X509 tool documentation page,以下内容现在有意义了:
If the certificate is a V1 certificate (and thus has no extensions)
and it is self signed it is also assumed to be a CA but a warning is
again given: this is to work around the problem of Verisign roots
which are V1 self signed certificates.
SSL Client CA
The extended key usage extension must be absent or include the "web client authentication" OID. Netscape certificate type must be absent or it must have the SSL CA bit set: this is used as a work around if the basicConstraints extension is absent.
您的证书似乎既没有 x509v3 扩展(basicConstraints 也没有 extendedUsage)。正如@Reinier-Torenbeek 所说,这意味着您的证书属于 x509 版本 1 类型。
我一直在问自己,如何根据选项(-text 或 -purpose)解释 openssl 关于证书的输出。有时我不清楚,例如,证书是否意味着 CA。
示例:
openssl x509 -in /path/to/cert1.pem -purpose -noout
Certificate purposes:
SSL client : Yes
SSL client CA : Yes (WARNING code=3)
SSL server : Yes
SSL server CA : Yes (WARNING code=3)
...
但是:
openssl x509 -in /path/to/cert1.pem -text -noout | grep CA
这显示没有结果。然而:
openssl x509 -in /path/to/cert2.pem -purpose -noout
Certificate purposes:
SSL client : Yes
SSL client CA : Yes
SSL server : Yes
SSL server CA : Yes
...
并且:
openssl x509 -in /path/to/cert2.pem -text -noout | grep CA
CA:TRUE
从您提供的有限输出来看,您的 cert1.pem 似乎是 X509v1 类型。因此,它的 -text 输出不包含显示在 grep 结果中的 X509v3 扩展 cert2.pem.
对这一假设的一些支持始于 cert1.pem 的输出,其中包括
SSL client CA : Yes (WARNING code=3)
关于此警告含义的 OpenSSL 文档是有限的,但通过检查其源代码,从 apps/x509.c 应用程序开始,追溯到 the following function:
static int check_ca(const X509 *x)
{
/* keyUsage if present should allow cert signing */
if (ku_reject(x, KU_KEY_CERT_SIGN))
return 0;
if (x->ex_flags & EXFLAG_BCONS) {
if (x->ex_flags & EXFLAG_CA)
return 1;
/* If basicConstraints says not a CA then say so */
else
return 0;
} else {
/* we support V1 roots for... uh, I don't really know why. */
if ((x->ex_flags & V1_ROOT) == V1_ROOT)
return 3;
/*
* If key usage present it must have certSign so tolerate it
*/
else if (x->ex_flags & EXFLAG_KUSAGE)
return 4;
/* Older certificates could have Netscape-specific CA types */
else if (x->ex_flags & EXFLAG_NSCERT && x->ex_nscert & NS_ANY_CA)
return 5;
/* can this still be regarded a CA certificate? I doubt it */
return 0;
}
}
代码值 3 出现的位置。
要验证是否属于这种情况,只需查看不同证书的文本转储中的第一行,如下所示:
Certificate:
Data:
Version: 1 (0x0)
回到 the X509 tool documentation page,以下内容现在有意义了:
If the certificate is a V1 certificate (and thus has no extensions) and it is self signed it is also assumed to be a CA but a warning is again given: this is to work around the problem of Verisign roots which are V1 self signed certificates.
SSL Client CA
The extended key usage extension must be absent or include the "web client authentication" OID. Netscape certificate type must be absent or it must have the SSL CA bit set: this is used as a work around if the basicConstraints extension is absent.
您的证书似乎既没有 x509v3 扩展(basicConstraints 也没有 extendedUsage)。正如@Reinier-Torenbeek 所说,这意味着您的证书属于 x509 版本 1 类型。