https证书验证过程:
https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce
交叉认证和备用信任路径是如何工作的:
https://scotthelme.co.uk/cross-signing-alternate-trust-paths-how-they-work/
操作系统根证书位置:/etc/pki/tls/certs/ca-bundle.crt
openssl命令:
openssl s_client -connect yc.ifeng.com:443 -servername yc.ifeng.com
openssl s_client -verify_hostname yc.ifeng.com -connect yc.ifeng.com:443 -servername yc.ifeng.com
openssl s_client -verify 2 -connect yc.ifeng.com:443
openssl s_client -verify 2 -connect vipads.com.cn:443
openssl s_client -connect vipads.com.cn:443 -servername vipads.com.cn
查看证书链:
openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout
subject=/CN=vipads.com.cn
issuer=/C=US/O=Let's Encrypt/CN=R3
subject=/C=US/O=Let's Encrypt/CN=R3
issuer=/C=US/O=Internet Security Research Group/CN=ISRG Root X1
subject=/C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
单独验证一个证书是有意料之中的错误的:
openssl verify cert.pem
CN = vipads.com.cn
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed
有中间证书和根证书的验证过程:
$ openssl verify -CAfile ca.pem \
> -untrusted intermediate.pem \
> cert.pem
cert.pem: OK