查找证书是自签名的还是 CA 签名的
我有一个网络应用程序,它允许用户上传 pkcs12.我将 pkcs12 作为二进制文件存储在数据库中.有什么方法可以让我知道 pkcs12 中的证书是自签名的还是 CA 签名的?
I have a web app, which allows user to upload pkcs12. I store the pkcs12 as binary in database. Is there any way for me to know if the certificate in the pkcs12 is self signed or CA signed?
我在 tomcat 上运行 Java Web 应用程序,并且可以使用 openssl.
I am running a Java web app on tomcat and have openssl at my disposal.
推荐答案
今天这个问题有两个更好的答案:
there are two better answers on this question today:
- https://stackoverflow.com/a/57927684/377270
- https://stackoverflow.com/a/14515875/377270
但是,我认为还有一些更重要的问题需要解决——为什么人们想了解自签名证书.目标是什么?正在解决什么问题?可能试图将证书分成两堆,自签名和非自签名,对于大多数情况来说是错误的方法.几乎可以肯定,更好的方法是验证任何给定证书是否具有来自受信任证书颁发机构的有效签名链,以及与给定证书关联的任何连接是否与证书匹配.
However, I think there's something more important to address -- why would one want to know about self-signed certificates. What's the goal? What problem is being solved? Probably trying to split certificates into two piles, self-signed and not-self-signed, is the wrong approach for most situations. The better approach is almost certainly going to be verifying that any given certificate has a valid signature chain from a trusted certificate authority, and that any connections associated with a given certificate matches the certificate.
这是我原始答案的其余部分.这可能不是你想要的.
Here's the rest of my original answer. It's probably not what you want.
有点hacky,但是openssl x509
命令可以同时报告issuer和subject.如果主题和发行者相同,则为自签名;如果它们不同,那么它是由 CA 签署的.(严格来说,很多自签名证书也由 CA 签名——他们自己.)
It's a bit hacky, but the openssl x509
command can report both the issuer and the subject. If the subject and issuer are the same, it is self-signed; if they are different, then it was signed by a CA. (Strictly speaking, a great many self-signed certificates are also signed by a CA -- themselves.)
在测试这个理论时,我进行了一些测试;它运行类似:
While testing this theory, I ran a handful of tests; it runs something like:
cd /etc/ssl/certs
for f in *.0 ; do openssl x509 -in $f -issuer | head -1 > /tmp/$f.issuer ; openssl x509 -in $f -subject | head -1 > /tmp/$f.subject ; done
cd /tmp
sed -i -e s/issuer=// *.issuer
sed -i -e s/subject=// *.subject
cd /etc/ssl/certs/
for f in *.0 ; do diff -u /tmp/$f.issuer /tmp/$f.subject ; done
希望这会有所帮助.
相关文章