行至水穷处 坐看“云”起时

Cloud Native ADN -> CNadn.Net

openssl client authentication bundle CA 验证备忘

openssl req -new -x509 -set_serial 20180704 -keyout ca1.key -out ca1.pem -days 365 -nodes

用上述命令产生两个 Subject Name一样的CA(提示中输入的信息完全一致),例如CA1, CA2

openssl genrsa -out client1.key 2048

openssl req -new -key client1.key -out client1.csr

openssl x509 -req -in client1.csr -CA ca1.pem -CAkey ca1.key -set_serial 01 -out client1.pem

再用上述3个命令,用每个CA分别签一个证书,例如 client1.pem, client2.pem

再用以下命令,分别验证两个client证书,确认ok

openssl verify -verbose  -purpose sslclient -CAfile ca1.pem client1.pem

将两张ca证书bundle起来:

cat ca1.pem <(echo -e \\r) ca2.pem > ca1-2.pem

再用bundle ca去验证两个证书,发现只有bundle里排在第一个的CA所签发的证书可以验证通过:

openssl verify -purpose sslclient -CAfile ca1-2.pem client1.pem
client1.pem: OK

openssl verify -purpose sslclient -CAfile ca1-2.pem client2.pem
client2.pem: C = CN, ST = BJ, L = BJ, O = F5, OU = SAM, CN = CLIENT2.TEST.COM, emailAddress = C2@C2.COM
error 7 at 0 depth lookup:certificate signature failure
140735804412872:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/rsa/rsa_pk1.c:105:
140735804412872:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/rsa/rsa_eay.c:707:
140735804412872:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/asn1/a_verify.c:160:

 

原因:两个CA的Subject名称完全一样,导致问题(serial number没有关系)

重新做Subject name不一样的两个CA,类似如下,再测试,无问题。

 

另:如果一个CA到期,用以前的旧key重新签发CA,CA是可以继续用于验证以前签发的各种证书的。

https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal

该文章容易导致人误解证书信任与Subject name无关。

点赞

发表评论

电子邮件地址不会被公开。 必填项已用*标注