AskOverflow.Dev

AskOverflow.Dev Logo AskOverflow.Dev Logo

AskOverflow.Dev Navigation

  • 主页
  • 系统&网络
  • Ubuntu
  • Unix
  • DBA
  • Computer
  • Coding
  • LangChain

Mobile menu

Close
  • 主页
  • 系统&网络
    • 最新
    • 热门
    • 标签
  • Ubuntu
    • 最新
    • 热门
    • 标签
  • Unix
    • 最新
    • 标签
  • DBA
    • 最新
    • 标签
  • Computer
    • 最新
    • 标签
  • Coding
    • 最新
    • 标签
主页 / computer / 问题 / 1433838
Accepted
mamadou
mamadou
Asked: 2019-05-07 05:26:26 +0800 CST2019-05-07 05:26:26 +0800 CST 2019-05-07 05:26:26 +0800 CST

唯一标识一个SSL证书

  • 772

我想知道如何确定给定文件是 SSL 证书。文件扩展名是否足以确定文件是否为证书?

tls certificate
  • 1 1 个回答
  • 461 Views

1 个回答

  • Voted
  1. Best Answer
    Maarten Bodewes
    2019-05-07T07:23:40+08:002019-05-07T07:23:40+08:00

    SSL 证书只不过是X.509 版本 3 证书,带有一些针对常见用途的附加限制。

    主要限制当然是 X500 Common Name (CN),它需要设置为服务器的名称。顺便说一下,Subject Alternative Name 字段可能包含更多名称。

    此外,对于大多数证书,Extended Key Usage 需要设置为 Server Authentication(对应于 OID:1.3.6.1.5.5.7.3.1)。服务器还可以设置客户端身份验证(OID:1.3.6.1.5.5.7.3.2)。

    请注意,至少对于 TLS 1.2,这些限制并未在规范中明确提及(呃),但您最好确保它们存在,除非您的浏览器/客户端开始尖叫谋杀。


    要验证文件是否为 (TLS) 证书,最简单的方法可能是使用 Windows 打开它并检查一些额外的限制。但是我个人更喜欢使用例如 OpenSSL 命令行,这样您就可以简单地输出到文本:

    openssl x509 -text -noout -in stackexchangecom.pem
    

    例如会输出以下内容:

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                07:65:c6:4e:74:e5:91:d6:80:39:ca:2a:84:75:63:f0
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
            Validity
                Not Before: Oct  5 00:00:00 2018 GMT
                Not After : Aug 14 12:00:00 2019 GMT
            Subject: C=US, ST=NY, L=New York, O=Stack Exchange, Inc., CN=*.stackexchange.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:f4:a9:3a:35:75:0f:d6:87:17:b7:cf:66:4f:57:
                        08:c5:a7:41:87:30:8b:d1:84:ea:3f:4d:7f:0d:2a:
                        2d:50:74:73:57:bd:2a:38:24:fb:01:d3:13:d0:ad:
                        49:8b:aa:c5:c9:aa:73:46:2a:94:22:10:24:84:4b:
                        1e:5d:1a:74:30:da:f6:d5:f4:94:c3:85:68:09:bf:
                        88:98:ee:a0:9c:89:73:a2:59:21:ae:92:ba:23:2d:
                        f8:2b:25:37:cf:2b:7c:5d:80:fe:99:8d:e2:f0:68:
                        cf:64:ec:ac:44:93:4b:cb:7a:2e:40:19:b3:b8:e9:
                        94:ff:61:68:9a:79:a2:10:61:74:da:65:60:6f:77:
                        af:f0:fa:dc:9e:de:dd:0a:21:7b:96:20:48:b1:dd:
                        f3:90:f7:97:bd:35:58:71:57:1b:fc:c0:6b:14:4c:
                        dc:e0:5b:88:ba:98:53:88:96:e8:37:3f:30:1e:ff:
                        7e:3d:70:17:51:41:fc:4c:44:ab:51:f1:4f:08:a2:
                        47:c1:df:44:02:83:57:f2:33:d4:d5:32:31:88:2a:
                        1e:e9:73:79:13:59:8f:c8:68:32:bc:49:da:70:7f:
                        c7:7a:b2:bf:78:b7:38:e8:be:d8:59:51:91:ca:31:
                        d6:69:a4:ca:d2:b2:61:2a:09:21:e7:da:ac:58:17:
                        67:e7
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Authority Key Identifier:
                    keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
    
                X509v3 Subject Key Identifier:
                    9A:8A:C1:6E:C1:F2:4D:FA:D9:7B:02:D4:8F:B3:03:AC:6A:3D:C6:58
                X509v3 Subject Alternative Name:
                    DNS:*.stackexchange.com, DNS:stackexchange.com, DNS:stackoverflow.com, DNS:*.stackoverflow.com, DNS:stackauth.com, DNS:sstatic.net, DNS:*.sstatic.net, DNS:serverfault.com, DNS:*.serverfault.com, DNS:superuser.com, DNS:*.superuser.com, DNS:stackapps.com, DNS:openid.stackauth.com, DNS:*.meta.stackexchange.com, DNS:meta.stackexchange.com, DNS:mathoverflow.net, DNS:*.mathoverflow.net, DNS:askubuntu.com, DNS:*.askubuntu.com, DNS:stacksnippets.net, DNS:*.blogoverflow.com, DNS:blogoverflow.com, DNS:*.meta.stackoverflow.com, DNS:*.stackoverflow.email, DNS:stackoverflow.email, DNS:stackoverflow.blog
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 CRL Distribution Points:
    
                    Full Name:
                      URI:http://crl3.digicert.com/sha2-ha-server-g6.crl
    
                    Full Name:
                      URI:http://crl4.digicert.com/sha2-ha-server-g6.crl
    
                X509v3 Certificate Policies:
                    Policy: 2.16.840.1.114412.1.1
                      CPS: https://www.digicert.com/CPS
                    Policy: 2.23.140.1.2.2
    
                Authority Information Access:
                    OCSP - URI:http://ocsp.digicert.com
                    CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
    
                X509v3 Basic Constraints: critical
                    CA:FALSE
                CT Precertificate SCTs:
                    Signed Certificate Timestamp:
                        Version   : v1(0)
                        Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
                                    3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
                        Timestamp : Oct  5 02:24:01.827 2018 GMT
                        Extensions: none
                        Signature : ecdsa-with-SHA256
                                    30:46:02:21:00:F0:9A:77:1B:F8:ED:C0:78:40:E3:AF:
                                    37:DB:3F:47:6D:C4:7A:91:1B:48:8E:3F:32:E0:1D:7F:
                                    9B:CA:79:4E:FD:02:21:00:DA:06:77:3B:C9:F3:B9:45:
                                    5A:9D:15:BD:7E:0E:A6:81:FB:0B:D3:C3:67:FD:91:A6:
                                    EF:73:BF:17:72:06:5F:65
                    Signed Certificate Timestamp:
                        Version   : v1(0)
                        Log ID    : 87:75:BF:E7:59:7C:F8:8C:43:99:5F:BD:F3:6E:FF:56:
                                    8D:47:56:36:FF:4A:B5:60:C1:B4:EA:FF:5E:A0:83:0F
                        Timestamp : Oct  5 02:24:02.054 2018 GMT
                        Extensions: none
                        Signature : ecdsa-with-SHA256
                                    30:46:02:21:00:D0:8D:F9:95:06:AF:BF:CB:68:01:2B:
                                    F7:84:F7:1E:A3:CF:D8:53:67:9B:48:7E:19:12:B5:2F:
                                    39:7C:C0:31:7A:02:21:00:C0:2E:36:4C:AE:3B:8B:74:
                                    E8:48:84:80:C5:A2:6A:52:59:B8:09:E4:43:0D:BD:19:
                                    C7:88:04:6F:2B:D4:0A:77
        Signature Algorithm: sha256WithRSAEncryption
             00:93:ce:f7:ff:ed:90:b3:02:9f:25:24:27:fa:26:5e:65:cf:
             2e:88:68:3d:f6:99:9d:d3:4f:04:d9:c9:86:12:ba:8d:cc:f7:
             25:2b:d2:0d:6c:f8:f0:c6:5f:73:22:04:dc:5e:91:7f:52:d0:
             55:55:2d:59:ed:7a:3c:de:a7:ec:18:c3:dd:33:36:2d:dc:5f:
             a1:42:94:18:2e:19:46:17:ee:49:7f:6c:7a:65:bd:73:8d:3f:
             da:33:71:8c:74:68:be:e8:e3:d5:f9:81:e5:ff:08:14:7b:8e:
             4d:ea:44:6e:0d:99:d5:2f:5e:bb:f9:6d:e5:da:70:fe:99:28:
             4e:ff:bc:6a:c0:78:99:bb:3d:06:1f:20:47:46:9e:62:e3:76:
             e5:1f:4b:e0:eb:bb:09:f2:0b:8d:f3:5a:5a:a6:ea:58:da:fe:
             fc:15:cb:d1:f2:3d:04:2d:f8:32:7a:1b:56:a6:31:77:bf:32:
             92:ab:fa:d8:da:c3:17:4d:8c:d2:3e:a3:1e:92:cb:1e:1c:d8:
             52:31:85:3a:5b:0f:61:f6:9c:8c:69:59:f0:f6:f6:a1:a9:fe:
             e7:28:71:dc:0b:65:51:4d:48:24:41:f9:fd:c8:39:a6:04:ea:
             34:9d:0f:17:81:fa:5d:eb:9f:cf:6b:15:5f:06:7b:8a:7c:49:
             17:05:fa:4c
    

    这是假设一个 PEM 格式的证书,对于二进制格式,您可以添加-inform DER,检查使用哪个可以使用file命令执行,通常存在于 Linux 和 Cygwin(如果安装正确)。

    我个人不一定信任文件扩展名。文件扩展名错误太容易了,文件扩展名是一种非常宽松的打字系统。


    好的,现在您已经验证该文件是关于结构的 X.509 证书。但是,您可能还想验证证书链直至可信证书。您可能还想执行其他验证,例如检查证书在正确的日期是否仍然有效。这是有关如何执行此操作的指南。

    为了完全完整,您可能还想检查 OCSP 状态,看看证书颁发机构 (CA) 是否吊销了证书。

    如果证书可以由对手生成,或者因为它是由公司中的一位开发人员生成的(自签名)测试证书,那么您肯定需要这个。

    • 1

相关问题

  • 让我们加密更新失败

  • 如何将自签名 SSL 证书添加到 Linux (Ubuntu/Alpine) 信任库?

  • 无法根据自签名 openssl 证书验证 openssl 证书?

  • 如何使 minikube 服务器 tls 可卷曲?

  • 如何设置 DNS、AWS S3、AWS Cloudfront 和 AWS Certificate Manager 以保护多个站点

Sidebar

Stats

  • 问题 205573
  • 回答 270741
  • 最佳答案 135370
  • 用户 68524
  • 热门
  • 回答
  • Marko Smith

    Windows 照片查看器因为内存不足而无法运行?

    • 5 个回答
  • Marko Smith

    支持结束后如何激活 WindowsXP?

    • 6 个回答
  • Marko Smith

    远程桌面间歇性冻结

    • 7 个回答
  • Marko Smith

    Windows 10 服务称为 AarSvc_70f961。它是什么,我该如何禁用它?

    • 2 个回答
  • Marko Smith

    子网掩码 /32 是什么意思?

    • 6 个回答
  • Marko Smith

    鼠标指针在 Windows 中按下的箭头键上移动?

    • 1 个回答
  • Marko Smith

    VirtualBox 无法以 VERR_NEM_VM_CREATE_FAILED 启动

    • 8 个回答
  • Marko Smith

    应用程序不会出现在 MacBook 的摄像头和麦克风隐私设置中

    • 5 个回答
  • Marko Smith

    ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] 证书验证失败:无法获取本地颁发者证书 (_ssl.c:1056)

    • 4 个回答
  • Marko Smith

    我如何知道 Windows 安装在哪个驱动器上?

    • 6 个回答
  • Martin Hope
    Albin 支持结束后如何激活 WindowsXP? 2019-11-18 03:50:17 +0800 CST
  • Martin Hope
    fixer1234 “HTTPS Everywhere”仍然相关吗? 2019-10-27 18:06:25 +0800 CST
  • Martin Hope
    Kagaratsch Windows 10 删除大量小文件的速度非常慢。有什么办法可以加快速度吗? 2019-09-23 06:05:43 +0800 CST
  • Martin Hope
    andre_ss6 远程桌面间歇性冻结 2019-09-11 12:56:40 +0800 CST
  • Martin Hope
    Riley Carney 为什么在 URL 后面加一个点会删除登录信息? 2019-08-06 10:59:24 +0800 CST
  • Martin Hope
    zdimension 鼠标指针在 Windows 中按下的箭头键上移动? 2019-08-04 06:39:57 +0800 CST
  • Martin Hope
    Inter Sys Ctrl+C 和 Ctrl+V 是如何工作的? 2019-05-15 02:51:21 +0800 CST
  • Martin Hope
    jonsca 我所有的 Firefox 附加组件突然被禁用了,我该如何重新启用它们? 2019-05-04 17:58:52 +0800 CST
  • Martin Hope
    MCK 是否可以使用文本创建二维码? 2019-04-02 06:32:14 +0800 CST
  • Martin Hope
    SoniEx2 更改 git init 默认分支名称 2019-04-01 06:16:56 +0800 CST

热门标签

windows-10 linux windows microsoft-excel networking ubuntu worksheet-function bash command-line hard-drive

Explore

  • 主页
  • 问题
    • 最新
    • 热门
  • 标签
  • 帮助

Footer

AskOverflow.Dev

关于我们

  • 关于我们
  • 联系我们

Legal Stuff

  • Privacy Policy

Language

  • Pt
  • Server
  • Unix

© 2023 AskOverflow.DEV All Rights Reserve