moneyslow.com

openssl验证证书

openssl代替telnet

openssl代替telnet

操作系统根证书位置:/etc/pki/tls/certs/ca-bundle.crt

openssl命令:
openssl s_client -connect moneyslow.com:443 -servername moneyslow.com
openssl s_client -verify_hostname moneyslow.com -connect moneyslow.com:443 -servername moneyslow.com
openssl s_client -verify 2 -connect moneyslow.com:443
openssl crl2pkcs7 -nocrl -certfile moneyslow.com.crt | openssl pkcs7 -print_certs -noout

查看证书链:
openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout
subject=/CN=vipads.com.cn
issuer=/C=US/O=Let's Encrypt/CN=R3

subject=/C=US/O=Let's Encrypt/CN=R3
issuer=/C=US/O=Internet Security Research Group/CN=ISRG Root X1

subject=/C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3

单独验证一个证书是有意料之中的错误的:
openssl verify cert.pem
CN = vipads.com.cn
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed

有中间证书和根证书的验证过程:
$ openssl verify -CAfile ca.pem \

             -untrusted intermediate.pem \
             cert.pem

cert.pem: OK

Exit mobile version