大道至简,知易行难
广阔天地,大有作为

CA utility will happily sign a request with any certificate, even if it is not a CA certificate

As stated before, the CA utility will happily sign a request with any certificate, even if it is not a CA certificate.

以如下的证书链为例:

示例SSL证书链

示例SSL证书链

RootCA:

根证书

根证书

IntermediateCA:

中间证书

中间证书

SSL证书:

SSL证书

SSL证书

可见,SSL证书是:

即使其可以签出证书,得到的证书也是有问题的,无法通过证书链验证:

所签出的证书无法通过verify

所签出的证书无法通过verify

查看PEM格式,发现签出的证书实际上包含了签发所用的SSL证书。但即使加上完整的证书链,在Windows中打开后也是诡异的:

Windows认为证书无效

Windows认为证书无效

其显示“无法找到该证书的颁发者”。

参考资料:
1、https://superuser.com/questions/462295/openssl-ca-and-non-ca-certificate
2、http://techxperiment.blogspot.com/2016/10/create-version-3-x509-certificate.html
3、https://stackoverflow.com/questions/7230330/sign-csr-using-bouncy-castle/17281551
4、https://stackoverflow.com/questions/23736305/certificate-generated-through-csr-signing-with-bouncycastle-considered-untrusted

转载时请保留出处,违法转载追究到底:进城务工人员小梅 » CA utility will happily sign a request with any certificate, even if it is not a CA certificate

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址