openssl client authentication bundle CA 验证备忘

2018年07月5日 10543点热度 0人点赞 0条评论

openssl req -new -x509 -set_serial 20180704 -keyout ca1.key -out ca1.pem -days 365 -nodes

用上述命令产生两个 Subject Name一样的CA（提示中输入的信息完全一致），例如CA1, CA2

openssl genrsa -out client1.key 2048

openssl req -new -key client1.key -out client1.csr

openssl x509 -req -in client1.csr -CA ca1.pem -CAkey ca1.key -set_serial 01 -out client1.pem

再用上述3个命令，用每个CA分别签一个证书，例如 client1.pem, client2.pem

再用以下命令，分别验证两个client证书，确认ok

openssl verify -verbose -purpose sslclient -CAfile ca1.pem client1.pem

将两张ca证书bundle起来：

cat ca1.pem <(echo -e \\r) ca2.pem > ca1-2.pem

再用bundle ca去验证两个证书，发现只有bundle里排在第一个的CA所签发的证书可以验证通过：

openssl verify -purpose sslclient -CAfile ca1-2.pem client1.pem
client1.pem: OK

openssl verify -purpose sslclient -CAfile ca1-2.pem client2.pem
client2.pem: C = CN, ST = BJ, L = BJ, O = F5, OU = SAM, CN = CLIENT2.TEST.COM, emailAddress = C2@C2.COM
error 7 at 0 depth lookup:certificate signature failure
140735804412872:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/rsa/rsa_pk1.c:105:
140735804412872:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/rsa/rsa_eay.c:707:
140735804412872:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/asn1/a_verify.c:160:

原因：两个CA的Subject名称完全一样，导致问题（serial number没有关系）

重新做Subject name不一样的两个CA，类似如下，再测试，无问题。

BEI-ML-JLIN-:Downloads jlin$ openssl x509 -in ca5.pem -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 20180705 (0x133eee1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=BJ, O=F5, OU=SAM5, CN=TEST5.COM/emailAddress=5@5.COM
        Validity
            Not Before: Jul  5 01:28:05 2018 GMT
            Not After : Jul  5 01:28:05 2019 GMT
        Subject: C=CN, ST=BJ, L=BJ, O=F5, OU=SAM5, CN=TEST5.COM/emailAddress=5@5.COM
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:aa:c8:3b:6d:e1:87:20:83:a8:94:99:55:9b:b7:
                    90:a2:0d:c3:8a:e7:11:da:06:a2:a1:d6:ca:1b:60:
                    37:04:16:a0:44:a3:fe:26:91:ae:d4:8f:d4:4b:d2:
                    38:d1:7e:9a:b4:80:c3:22:63:b9:1e:91:67:a6:85:
                    c5:29:a1:37:c5:18:7c:ad:ca:b5:42:f7:0b:cd:59:
                    0e:c3:b2:23:33:bb:a6:b3:0f:85:0b:ac:b0:97:51:
                    87:3d:e7:e8:51:64:80:1e:1c:e9:2a:75:90:ec:0e:
                    33:17:16:bf:a8:8d:68:98:b9:c5:5d:1b:f6:62:51:
                    58:0b:1f:28:bd:7c:54:8f:bf:6d:76:e7:45:5d:39:
                    fd:50:9e:0b:1a:09:88:1b:a6:a6:ab:98:b1:d4:ee:
                    fa:1e:28:ad:45:f5:32:15:95:a6:3e:b1:6e:be:b3:
                    43:d7:fa:33:25:f3:af:31:6d:cf:7b:5f:bc:30:f4:
                    8f:49:e6:f4:d2:64:f7:b8:9a:6f:79:72:b1:a8:df:
                    a1:d5:c5:e0:6d:61:cd:d1:7d:69:41:be:9e:64:50:
                    14:8f:ae:7e:7a:8e:6f:4a:2d:1e:f9:dd:d5:a3:27:
                    f3:2d:14:10:c9:ca:81:0c:dd:10:d0:5a:6f:3c:a7:
                    f2:21:49:ca:5e:52:42:df:dd:67:7a:38:43:94:fd:
                    29:21
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         22:55:0d:2a:39:d2:bd:6d:6d:83:d8:93:6b:69:66:a7:20:99:
         df:98:39:20:80:d0:0f:c2:69:27:3a:b1:dd:8b:c0:20:7d:6d:
         fe:d1:da:92:e9:96:90:4b:1f:89:2f:92:5f:3b:a5:d6:85:c0:
         97:de:19:e9:36:dc:77:9c:6e:1f:1b:67:44:04:3f:09:f4:25:
         c2:e2:52:b3:d9:99:6d:a2:e6:0f:4f:8f:d6:e9:eb:93:e3:26:
         dd:4a:b1:52:1b:0b:fd:b6:3e:bd:6a:1b:9a:4f:2b:cf:8c:54:
         f1:ba:e3:ae:8f:c5:45:58:8d:e4:1b:d1:9e:f9:65:1f:73:35:
         df:fe:74:1d:ef:b0:65:ac:8f:bc:64:36:15:f6:2e:be:77:08:
         5a:64:81:e2:4d:22:5e:3b:27:4c:19:60:76:ed:94:3f:57:83:
         b1:0b:58:e6:16:7d:28:56:ca:7b:22:73:1f:29:ee:95:81:6e:
         ab:39:95:21:7e:e5:36:5f:90:ca:53:65:45:cc:fd:a1:0b:8a:
         2c:20:fd:40:40:06:23:c5:e3:bf:23:9b:d5:2a:9c:2b:9f:f8:
         0c:cb:e7:a0:bc:2e:da:ad:a0:c9:d2:f2:c1:6c:bb:31:55:a3:
         ae:39:ca:c0:6d:07:f3:28:71:65:97:3a:c3:68:f6:96:4e:0b:
         66:fb:ad:a3
BEI-ML-JLIN-:Downloads jlin$ openssl x509 -in ca6.pem -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 20180705 (0x133eee1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=BJ, O=F5, OU=SAM6, CN=TEST6.COM/emailAddress=6@6.COM
        Validity
            Not Before: Jul  5 01:30:41 2018 GMT
            Not After : Jul  5 01:30:41 2019 GMT
        Subject: C=CN, ST=BJ, L=BJ, O=F5, OU=SAM6, CN=TEST6.COM/emailAddress=6@6.COM
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d1:64:a4:c6:73:87:f5:ed:56:62:64:ef:93:4e:
                    52:40:f0:7c:8d:ec:a0:a4:55:db:92:9d:96:6f:e1:
                    55:39:b5:c1:46:74:33:90:af:2a:d9:76:ca:0c:99:
                    5e:3e:56:f8:1d:1a:c4:77:00:b2:8d:72:ff:e8:bf:
                    6f:22:d8:a1:a3:5f:ff:33:17:86:98:f4:a9:3c:48:
                    20:97:4f:e4:d1:bf:cd:36:17:d2:a0:56:26:0d:93:
                    84:19:47:07:5b:14:1c:a1:d3:04:1c:ad:38:4b:5c:
                    6c:c1:60:5b:0c:04:e6:43:0d:a3:9e:f3:8f:91:87:
                    f8:9f:3c:1c:6e:b1:cd:06:10:8b:d5:07:00:0f:e8:
                    82:dd:cc:0a:e0:89:a3:c4:e8:0a:cd:6e:03:e7:22:
                    a6:28:75:7e:c1:bb:17:f8:fe:ef:1a:ec:c8:84:1c:
                    a0:d3:4a:45:e0:1b:dc:6e:50:c2:47:83:6a:67:d9:
                    6d:e4:78:5b:5e:59:db:61:30:5a:ba:3e:a1:aa:bf:
                    b8:65:66:ab:95:1a:83:86:77:3e:a0:05:a3:8e:34:
                    ec:35:02:70:db:85:72:12:5c:48:0e:24:e7:a9:6b:
                    12:aa:b9:d7:b1:c2:26:40:7d:fc:74:af:63:a7:4b:
                    92:79:a1:c4:44:d3:63:bf:91:f8:fa:a8:d3:89:30:
                    77:c3
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         13:83:a9:b9:66:d5:59:11:f7:df:5f:59:4f:11:41:dc:7e:bc:
         b8:cc:4f:22:24:59:c3:9f:98:20:1b:9c:6a:5d:ec:94:17:8a:
         0e:a9:05:db:f0:15:35:32:9f:60:b1:2c:c7:66:ac:cf:1d:4e:
         a6:50:07:74:f5:93:4e:cc:a5:e7:62:f4:6b:a9:70:50:b7:18:
         54:7f:7b:89:d4:9a:c8:97:9e:d8:ca:d0:f7:c7:d9:90:32:5e:
         14:f4:9d:c8:ef:d2:60:55:9b:88:c7:4b:8d:b5:da:80:b3:5a:
         a9:a6:c9:c2:33:0b:6d:e8:40:fc:c0:0d:9d:4a:3d:40:19:27:
         90:cb:08:96:6a:d2:49:49:c0:ba:cd:c3:1c:f3:24:8a:d2:62:
         90:de:25:4b:9d:7f:d6:2b:91:47:bb:6d:b7:4c:b4:07:2c:09:
         9c:b8:de:84:dc:07:5e:4e:68:63:99:28:56:ca:65:b1:46:f7:
         cf:09:eb:36:4a:ad:be:dd:63:e5:7d:1f:5a:64:37:c8:99:b3:
         29:03:a7:59:38:99:ed:d4:4c:2a:2e:d0:41:3d:f0:c9:e9:f5:
         36:ea:39:03:2d:e4:87:e7:16:f1:d8:e4:a4:c4:56:64:0a:e5:
         2e:4f:6f:d2:df:c7:3a:37:ca:49:5f:ea:fb:c1:13:ed:b5:e9:
         ea:05:9c:69

100

BEI-ML-JLIN-:Downloads jlin$ openssl x509 -in ca5.pem -text -noout

Certificate:

Data:

Version: 1 (0x0)

Serial Number: 20180705 (0x133eee1)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=CN, ST=BJ, L=BJ, O=F5, OU=SAM5, CN=TEST5.COM/emailAddress=5@5.COM

Validity

Not Before: Jul 5 01:28:05 2018 GMT

Not After : Jul 5 01:28:05 2019 GMT

Subject: C=CN, ST=BJ, L=BJ, O=F5, OU=SAM5, CN=TEST5.COM/emailAddress=5@5.COM

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:aa:c8:3b:6d:e1:87:20:83:a8:94:99:55:9b:b7:

90:a2:0d:c3:8a:e7:11:da:06:a2:a1:d6:ca:1b:60:

37:04:16:a0:44:a3:fe:26:91:ae:d4:8f:d4:4b:d2:

38:d1:7e:9a:b4:80:c3:22:63:b9:1e:91:67:a6:85:

c5:29:a1:37:c5:18:7c:ad:ca:b5:42:f7:0b:cd:59:

0e:c3:b2:23:33:bb:a6:b3:0f:85:0b:ac:b0:97:51:

87:3d:e7:e8:51:64:80:1e:1c:e9:2a:75:90:ec:0e:

33:17:16:bf:a8:8d:68:98:b9:c5:5d:1b:f6:62:51:

58:0b:1f:28:bd:7c:54:8f:bf:6d:76:e7:45:5d:39:

fd:50:9e:0b:1a:09:88:1b:a6:a6:ab:98:b1:d4:ee:

fa:1e:28:ad:45:f5:32:15:95:a6:3e:b1:6e:be:b3:

43:d7:fa:33:25:f3:af:31:6d:cf:7b:5f:bc:30:f4:

8f:49:e6:f4:d2:64:f7:b8:9a:6f:79:72:b1:a8:df:

a1:d5:c5:e0:6d:61:cd:d1:7d:69:41:be:9e:64:50:

14:8f:ae:7e:7a:8e:6f:4a:2d:1e:f9:dd:d5:a3:27:

f3:2d:14:10:c9:ca:81:0c:dd:10:d0:5a:6f:3c:a7:

f2:21:49:ca:5e:52:42:df:dd:67:7a:38:43:94:fd:

29:21

Exponent: 65537 (0x10001)

Signature Algorithm: sha256WithRSAEncryption

22:55:0d:2a:39:d2:bd:6d:6d:83:d8:93:6b:69:66:a7:20:99:

df:98:39:20:80:d0:0f:c2:69:27:3a:b1:dd:8b:c0:20:7d:6d:

fe:d1:da:92:e9:96:90:4b:1f:89:2f:92:5f:3b:a5:d6:85:c0:

97:de:19:e9:36:dc:77:9c:6e:1f:1b:67:44:04:3f:09:f4:25:

c2:e2:52:b3:d9:99:6d:a2:e6:0f:4f:8f:d6:e9:eb:93:e3:26:

dd:4a:b1:52:1b:0b:fd:b6:3e:bd:6a:1b:9a:4f:2b:cf:8c:54:

f1:ba:e3:ae:8f:c5:45:58:8d:e4:1b:d1:9e:f9:65:1f:73:35:

df:fe:74:1d:ef:b0:65:ac:8f:bc:64:36:15:f6:2e:be:77:08:

5a:64:81:e2:4d:22:5e:3b:27:4c:19:60:76:ed:94:3f:57:83:

b1:0b:58:e6:16:7d:28:56:ca:7b:22:73:1f:29:ee:95:81:6e:

ab:39:95:21:7e:e5:36:5f:90:ca:53:65:45:cc:fd:a1:0b:8a:

2c:20:fd:40:40:06:23:c5:e3:bf:23:9b:d5:2a:9c:2b:9f:f8:

0c:cb:e7:a0:bc:2e:da:ad:a0:c9:d2:f2:c1:6c:bb:31:55:a3:

ae:39:ca:c0:6d:07:f3:28:71:65:97:3a:c3:68:f6:96:4e:0b:

66:fb:ad:a3

BEI-ML-JLIN-:Downloads jlin$ openssl x509 -in ca6.pem -text -noout

Certificate:

Data:

Version: 1 (0x0)

Serial Number: 20180705 (0x133eee1)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=CN, ST=BJ, L=BJ, O=F5, OU=SAM6, CN=TEST6.COM/emailAddress=6@6.COM

Validity

Not Before: Jul 5 01:30:41 2018 GMT

Not After : Jul 5 01:30:41 2019 GMT

Subject: C=CN, ST=BJ, L=BJ, O=F5, OU=SAM6, CN=TEST6.COM/emailAddress=6@6.COM

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:d1:64:a4:c6:73:87:f5:ed:56:62:64:ef:93:4e:

52:40:f0:7c:8d:ec:a0:a4:55:db:92:9d:96:6f:e1:

55:39:b5:c1:46:74:33:90:af:2a:d9:76:ca:0c:99:

5e:3e:56:f8:1d:1a:c4:77:00:b2:8d:72:ff:e8:bf:

6f:22:d8:a1:a3:5f:ff:33:17:86:98:f4:a9:3c:48:

20:97:4f:e4:d1:bf:cd:36:17:d2:a0:56:26:0d:93:

84:19:47:07:5b:14:1c:a1:d3:04:1c:ad:38:4b:5c:

6c:c1:60:5b:0c:04:e6:43:0d:a3:9e:f3:8f:91:87:

f8:9f:3c:1c:6e:b1:cd:06:10:8b:d5:07:00:0f:e8:

82:dd:cc:0a:e0:89:a3:c4:e8:0a:cd:6e:03:e7:22:

a6:28:75:7e:c1:bb:17:f8:fe:ef:1a:ec:c8:84:1c:

a0:d3:4a:45:e0:1b:dc:6e:50:c2:47:83:6a:67:d9:

6d:e4:78:5b:5e:59:db:61:30:5a:ba:3e:a1:aa:bf:

b8:65:66:ab:95:1a:83:86:77:3e:a0:05:a3:8e:34:

ec:35:02:70:db:85:72:12:5c:48:0e:24:e7:a9:6b:

12:aa:b9:d7:b1:c2:26:40:7d:fc:74:af:63:a7:4b:

92:79:a1:c4:44:d3:63:bf:91:f8:fa:a8:d3:89:30:

77:c3

Exponent: 65537 (0x10001)

Signature Algorithm: sha256WithRSAEncryption

13:83:a9:b9:66:d5:59:11:f7:df:5f:59:4f:11:41:dc:7e:bc:

b8:cc:4f:22:24:59:c3:9f:98:20:1b:9c:6a:5d:ec:94:17:8a:

0e:a9:05:db:f0:15:35:32:9f:60:b1:2c:c7:66:ac:cf:1d:4e:

a6:50:07:74:f5:93:4e:cc:a5:e7:62:f4:6b:a9:70:50:b7:18:

54:7f:7b:89:d4:9a:c8:97:9e:d8:ca:d0:f7:c7:d9:90:32:5e:

14:f4:9d:c8:ef:d2:60:55:9b:88:c7:4b:8d:b5:da:80:b3:5a:

a9:a6:c9:c2:33:0b:6d:e8:40:fc:c0:0d:9d:4a:3d:40:19:27:

90:cb:08:96:6a:d2:49:49:c0:ba:cd:c3:1c:f3:24:8a:d2:62:

90:de:25:4b:9d:7f:d6:2b:91:47:bb:6d:b7:4c:b4:07:2c:09:

9c:b8:de:84:dc:07:5e:4e:68:63:99:28:56:ca:65:b1:46:f7:

cf:09:eb:36:4a:ad:be:dd:63:e5:7d:1f:5a:64:37:c8:99:b3:

29:03:a7:59:38:99:ed:d4:4c:2a:2e:d0:41:3d:f0:c9:e9:f5:

36:ea:39:03:2d:e4:87:e7:16:f1:d8:e4:a4:c4:56:64:0a:e5:

2e:4f:6f:d2:df:c7:3a:37:ca:49:5f:ea:fb:c1:13:ed:b5:e9:

ea:05:9c:69

另：如果一个CA到期，用以前的旧key重新签发CA，CA是可以继续用于验证以前签发的各种证书的。

https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal

该文章容易导致人误解证书信任与Subject name无关。

本作品采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

openssl client authentication bundle CA 验证备忘

相关文章

文章评论