创建新的 S/MIME 证书后,我一直致力于创建大多数邮件客户端接受的有效 PKCS #12 文件:
$ openssl verify smime.pfx
CN = [email protected], emailAddress = [email protected]
error 20 at 0 depth lookup: unable to get local issuer certificate
error smime.pfx: verification failed
如果我指定中间证书,链看起来不错:
openssl verify -show_chain -untrusted Certum_SMIME_RSA_CA.pem smime.pfx
smime.pfx: OK
Chain:
depth=0: CN = [email protected], emailAddress = [email protected] (untrusted)
depth=1: C = PL, O = Asseco Data Systems S.A., CN = Certum SMIME RSA CA (untrusted)
depth=2: C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum Trusted Root CA
但是,在创建 pfx 文件时已指定该文件:
$ openssl pkcs12 -export -inkey privatekey.key -in smime.pem \
-certfile Certum_SMIME_RSA_CA.pem -out smime.pfx
根据 openssl,存在中间证书:
$ openssl pkcs12 -in smime.pfx -nodes | grep -E "subject|issuer"
subject=CN = [email protected], emailAddress = [email protected]
issuer=C = PL, O = Asseco Data Systems S.A., CN = Certum SMIME RSA CA
subject=C = PL, O = Asseco Data Systems S.A., CN = Certum SMIME RSA CA
issuer=C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum Trusted Root CA
那么我到底错过了什么?为什么作为 pfx 文件一部分的中间证书被忽略?
从手册页:
注意“每个文件一个”。为该证书构建链所需的证书将在
-untrusted和(如果指定)中查找-trusted,并且在(如果指定)中查找,或者如果未指定-CAfile/path/store相关选项,则在各自的默认值中查找 - 但不在输入文件中。-no仅 3.0.0 及以上版本(自 2021 年起)支持使用 PKCS12-aka-PFX 文件作为输入
verify,但尝试 PEM 格式“链”文件的等效错误verify长期以来一直很常见;请参阅https://stackoverflow.com/questions/65204616/why-does-openssl-verify-fail-with-a-certificate-chain-file-while-it-succeeds-wit以及更多链接。