无法使用 openSSL 验证 CRL

问题描述 投票:0回答:1

我已经以 DER 和 PEM 格式创建了 https CRL,但看起来 openssl 甚至没有尝试联系我的分发点来获取 CRL。 int 和 root ca 颁发者在我的服务器上都是受信任的。我可以使用 OpenSSL 和以下命令来卷曲 CRL 并验证它(取决于它是 DER 还是 PEM 格式):

openssl crl -in crlfile.pem -text -noout

OR

openssl crl -in crlfile.der -inform DER -out crlfile.pem -outform PEM
openssl crl -inform DER -in crlfile.pem -text -noout

在 RHEL8 上运行

cat /etc/redhat-release; uname -r
Red Hat Enterprise Linux release 8.8 (Ootpa)
4.18.0-477.36.1.el8_8.x86_64

OpenSSL 版本:

OpenSSL 1.1.1k  FIPS 25 Mar 2021

错误:

openssl verify -crl_check leaf.pem
C = US, L = XX, O = XXXX, CN = server.example.net
error 3 at 0 depth lookup: unable to get certificate CRL
error leaf.pem: verification failed

叶子证书:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:c3:37:1a:cb:e9:1c:8f:41:0b:b6:5d:e7:da:37:9a:56:b7:c7:c3
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = US, L = XX, O = XXXX, CN = XXXX-Int-XX-GP
        Validity
            Not Before: May  1 10:02:09 2024 GMT
            Not After : Jul 30 10:12:09 2024 GMT
        Subject: C = US, L = XX, O = EXAMPLE, CN = server.example.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    XXXXXX
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier:
                52:1E:5A:F0:27:EC:2B:59:C2:49:BB:44:79:55:20:2B:71:4E:E0:DE
            X509v3 Authority Key Identifier:
                keyid:F9:F6:A4:D5:39:31:BB:4A:FC:69:4E:C1:FD:E9:22:52:DE:AF:BB:87

            X509v3 Subject Alternative Name:
                DNS:server.example.net
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:https://ca.xx.example.net/v1/pki/crl

    Signature Algorithm: sha384WithRSAEncryption
         75:8d:b3:4e:f9:88:90:4d:5c:77:99:b2:67:27:c9:e3:f8:b4:
         3f:f8:d9:2f:3c:14:3f:0a:e6:cd:1e:84:f3:7b:e7:72:6d:01:
         99:e3:15:f3:14:d7:3f:03:cd:9d:c4:92:e9:6c:1a:e2:db:44:
         36:af:9b:12:21:fe:61:0d:6d:14:4d:88:d5:78:37:c2:74:f5:
         ae:50:28:df:31:48:4f:db:51:db:55:1b:97:03:28:65:70:3c:
         ce:99:ba:f4:24:de:72:7f:bf:72:c8:8f:64:7e:71:6d:5f:85:
         e4:e3:b0:0f:a3:76:61:f9:b0:0c:36:7f:a5:80:6d:a0:4f:0b:
         31:cc:0a:8c:9e:83:51:15:c6:50:ca:7c:f9:06:a2:d9:aa:a9:
         63:8d:be:9f:cf:ce:d3:db:d4:61:b6:3a:fa:95:a4:2b:ba:86:
         f0:01:b1:5f:c1:15:ef:dc:f0:8e:e9:65:a8:04:0d:ef:af:3e:
         b3:6c:77:b7:6d:2c:c4:1f:11:73:47:69:15:a6:7b:ea:90:71:
         ac:ca:a6:d4:c5:7f:dc:ac:e6:16:ca:33:cd:f8:c9:51:95:a3:
         ac:9b:c6:03:d9:53:6f:83:2d:51:61:a9:f7:31:f1:66:80:ba:
         96:2b:3d:a2:57:eb:1d:9f:36:6c:d7:fb:32:c7:2e:ba:90:e3:
         20:3c:39:9e:cd:61:be:18:25:09:0d:af:bb:28:a2:3d:bb:70:
         51:d5:a0:95:bd:4a:51:de:17:3b:ad:91:8f:2a:9b:ce:a3:43:
         d7:0d:fa:66:29:92:54:1f:a5:ba:45:d0:7f:74:6d:3c:6f:fe:
         6c:88:07:0e:fa:fe:23:1c:54:f3:ae:45:6e:a0:53:35:70:58:
         da:fa:c9:34:5d:8d:6f:d9:8c:37:76:0e:29:dc:ac:14:0c:72:
         01:20:4b:f1:78:3b:0f:7f:d8:95:2c:73:b4:70:a9:1f:2d:cc:
         3f:78:4c:3c:b5:69:f9:c9:4c:1f:56:b6:24:12:6b:ba:a3:2c:
         94:78:17:a9:b0:42:85:05:17:a0:08:36:ca:51:99:13:3d:7c:
         21:41:8a:d8:bd:3f:da:b8:1b:3c:75:f3:17:71:38:77:4c:32:
         53:0e:d2:bf:17:18:a2:83:8e:25:bc:59:31:9e:49:c9:aa:9a:
         74:67:0d:c3:d4:18:b1:0a:31:ac:28:6b:15:d1:f3:45:88:5b:
         64:7d:85:09:81:2c:94:bf:92:c7:f9:cb:cd:3a:ff:78:c3:9f:
         a4:e6:47:33:3b:f7:93:ba:2b:7b:7c:0b:16:e2:b3:5d:11:6e:
         e2:9b:0f:3b:31:4d:95:10:1f:82:22:73:58:3b:80:bc:d1:10:
         bd:09:6f:b0:05:2b:59:8b

中间发行人(可信):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:9a:17:70:e8:d2:c5:a1:02:21:70:3b:61:3f:2f:2f:e1:12:08:12
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, L=XX, O=XXXX, CN=XXXX CA XX GP
        Validity
            Not Before: May  1 08:03:21 2024 GMT
            Not After : Apr 30 08:03:51 2029 GMT
        Subject: C=US, L=XX, O=XXXX, CN=XXXX-Int-XX-GP
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    XXXXX
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                F9:F6:A4:D5:39:31:BB:4A:FC:69:4E:C1:FD:E9:22:52:DE:AF:BB:87
            X509v3 Authority Key Identifier: 
                keyid:9D:F5:D6:A3:1E:EB:D8:2D:E0:64:C3:59:94:AD:A1:C4:DA:73:91:A9

            X509v3 Subject Alternative Name: 
                DNS:server.xx.example.net
    Signature Algorithm: sha256WithRSAEncryption
         17:dc:6f:5e:9c:1c:2b:51:ed:a3:9f:73:a7:cb:45:9c:c4:68:
         e2:88:d4:eb:1c:a0:a3:cc:5a:bb:7b:4e:7b:b8:c5:26:08:35:
         54:57:d7:86:94:8d:71:a7:fd:b9:76:04:31:ac:75:e0:c8:11:
         23:fc:09:85:06:08:9e:a7:fd:da:a7:68:18:87:30:a9:96:a3:
         cf:ec:b2:a3:75:77:a9:77:0c:af:1b:df:34:98:9c:47:a4:96:
         87:c4:24:38:b0:09:4d:f8:85:d5:6c:b8:f7:33:26:45:af:bb:
         b1:12:cc:7b:a4:7a:bf:b7:a4:bd:2e:81:6d:bc:38:d6:f0:86:
         4e:09:f1:69:d3:14:4e:c0:c6:bc:14:a5:31:69:0a:59:dd:46:
         2a:73:eb:b7:23:c4:b2:92:97:96:9e:f1:60:4b:bc:34:07:17:
         ef:0d:dc:53:24:39:e4:95:75:00:7f:0f:d2:16:d0:ff:54:81:
         4b:17:30:1a:a8:9f:70:ca:70:ed:9f:ba:f6:27:f3:d8:81:08:
         ac:b4:40:c5:cd:1f:39:64:65:4f:c9:30:df:59:af:b3:36:c0:
         0c:0f:85:48:de:98:62:17:94:8b:ff:f4:b4:f4:84:78:bf:b3:
         4d:6d:48:57:30:0e:23:c9:48:eb:1b:27:f0:c5:a7:a1:84:1a:
         95:89:43:e3:d5:af:03:63:bc:68:c6:fa:2c:fd:ec:57:12:9a:
         5b:cf:27:dd:e4:07:94:11:29:ff:30:ce:e3:47:65:6c:e3:7f:
         d9:76:d0:2c:57:d2:d0:13:3f:08:e7:f5:40:4e:7c:8b:ab:cc:
         a1:05:ae:b1:3d:6c:81:27:0e:1b:3f:8f:38:3f:22:51:1e:8e:
         f5:c4:f9:aa:b7:47:5f:49:d2:27:91:3f:44:6f:a3:25:96:80:
         13:db:ea:f1:cf:d3:c8:3e:6e:b9:db:54:93:51:aa:23:b7:9c:
         5d:f5:54:ab:2e:b6:b0:0a:fa:7c:75:d1:ca:01:7b:0f:a5:2b:
         07:3e:46:b4:f6:e9:fe:7d:f6:7a:58:e5:33:79:4b:88:a3:30:
         38:98:1f:ca:2e:f1:9b:96:9c:23:9a:36:87:eb:bf:7a:37:c0:
         64:27:cc:2e:69:b0:91:f4:ca:a8:9d:75:2a:60:3a:d5:78:d8:
         da:fa:20:d6:e7:8e:64:1c:f9:5c:ab:5e:87:f7:52:0b:e8:db:
         20:f1:73:9c:99:68:cd:7e:50:75:4c:3f:d9:0a:aa:2a:51:c9:
         d0:9e:b4:e7:30:2f:a5:f4:9d:54:d6:59:43:78:b9:8b:a2:f9:
         15:2e:74:19:ef:ec:1d:72:f3:35:2a:ae:71:f7:fd:13:23:08:
         e0:b6:02:da:25:31:67:22

根发行者(受信任):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:6d:c8:33:27:20:14:a9:02:c9:87:ed:8a:43:e9:61:f3:99:64:69
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, L=XX, O=XXXX, CN=XXXX CA XX GP
        Validity
            Not Before: Mar  7 15:47:06 2024 GMT
            Not After : Mar  5 15:47:35 2034 GMT
        Subject: C=US, L=XX, O=XXXX, CN=XXXX CA XX GP
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    XXXX
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                9D:F5:D6:A3:1E:EB:D8:2D:E0:64:C3:59:94:AD:A1:C4:DA:73:91:A9
            X509v3 Authority Key Identifier: 
                keyid:9D:F5:D6:A3:1E:EB:D8:2D:E0:64:C3:59:94:AD:A1:C4:DA:73:91:A9

    Signature Algorithm: sha256WithRSAEncryption
         8e:53:15:3b:3e:f2:63:b9:77:c9:c7:2c:b7:4b:e9:5c:6a:07:
         34:e9:53:d8:b6:94:e0:da:0e:bf:80:82:31:b4:0a:5b:67:e6:
         3d:eb:7f:d6:d9:8d:af:1f:1d:81:fe:3f:6f:20:cf:67:ba:33:
         5e:35:b0:cd:d1:1f:5c:28:40:5c:a1:e4:2c:e8:4f:93:e1:5d:
         59:4b:c1:00:d9:19:c5:32:ee:67:46:95:04:7e:ba:15:ee:8a:
         39:b6:0a:89:64:53:b9:f0:7b:13:94:31:99:1a:d4:40:55:ca:
         c6:f4:c2:65:85:42:4b:0a:76:7d:98:8c:c3:68:15:ec:d4:28:
         15:24:b9:bc:ed:04:b7:ba:f7:86:6a:1d:62:c9:75:ab:15:d8:
         7d:96:80:df:2c:09:43:3b:be:b1:80:dd:aa:73:32:f9:27:c1:
         a1:44:fa:81:bc:06:29:bd:f9:35:94:16:5a:02:17:71:ae:17:
         60:d6:ce:7a:a6:1d:8f:89:52:19:95:64:6d:52:98:52:98:99:
         cf:cb:a9:bd:70:5f:16:8a:71:4f:3e:65:d0:7b:91:fe:d0:73:
         48:53:36:c8:66:43:49:e3:a1:6a:38:2c:af:9e:dd:32:94:a5:
         df:d9:8c:a8:a9:8c:85:78:d6:a3:db:2d:58:eb:99:d4:6b:e6:
         63:a5:c1:fa:45:85:64:ec:91:b3:9c:05:e1:a2:df:68:10:32:
         57:d3:7e:f1:f5:d7:c4:6d:72:85:e7:93:2e:a2:77:81:35:2c:
         1c:02:3c:50:01:d3:05:98:76:9a:92:e1:7e:06:86:7d:22:e4:
         5e:03:37:c6:72:d7:1a:f3:5b:60:59:76:b2:e4:44:46:c0:92:
         9c:96:22:fb:60:5d:9f:ce:91:66:5e:17:d0:c7:8f:7f:1b:79:
         6b:9a:7d:50:fa:0a:a8:98:d5:ad:ab:a0:03:57:ca:c3:80:2e:
         71:3e:41:86:3d:94:4d:c3:20:0e:9c:52:e1:11:9e:86:a5:d5:
         25:0d:19:9c:ad:a3:8f:41:0c:e0:66:44:51:4a:8b:09:22:37:
         ef:72:b6:e2:f6:0a:b5:0b:88:0b:74:77:98:2b:cd:ac:e5:4a:
         e5:e7:a9:73:6c:21:fd:b0:2c:f2:92:a4:5d:1f:7b:24:e2:84:
         54:12:39:6a:df:cc:3c:55:45:81:53:46:7c:47:1d:1a:70:57:
         54:13:e9:81:bd:7a:83:eb:82:8c:01:68:f7:bd:0a:ff:14:17:
         03:42:51:7c:2f:53:48:66:27:9b:a2:b8:6e:81:27:2d:87:64:
         e4:83:d3:24:2e:17:47:6b:fa:53:be:60:63:8b:91:83:fe:48:
         4e:7d:98:f4:c5:48:a9:98

我的 CRL:

Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, L = XX, O = XXXX, CN = XXXX-Int-XX-GP
        Last Update: May  1 08:03:51 2024 GMT
        Next Update: May  8 08:03:51 2024 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:F9:F6:A4:D5:39:31:BB:4A:FC:69:4E:C1:FD:E9:22:52:DE:AF:BB:87

            X509v3 CRL Number:
                1
No Revoked Certificates.
    Signature Algorithm: sha256WithRSAEncryption
         51:ca:55:9e:25:2c:fa:3b:6f:72:6b:23:c7:28:89:c4:de:8e:
         9a:f6:d3:90:0f:07:fb:a5:ca:55:c0:2a:f9:52:b8:a5:cf:4d:
         db:a8:f4:62:c9:f2:f5:0b:a2:79:0b:f8:d7:cf:ca:98:2e:bd:
         48:e4:41:1f:6b:74:5a:80:11:05:cb:5c:0e:18:1f:03:cc:b7:
         95:60:03:a8:fa:c2:a2:93:73:60:9d:1b:5f:43:c6:a4:05:00:
         da:a4:63:87:dd:ea:00:c8:4f:f3:0a:b6:2a:6d:28:c2:e9:7d:
         b4:3c:12:d8:2b:a5:ec:57:23:bb:2a:de:6a:03:01:a5:63:e0:
         98:73:27:11:e1:4d:aa:23:45:6b:9d:25:76:6e:ed:76:de:63:
         4a:3c:c0:44:88:72:ef:04:b6:5d:5a:21:13:a4:d4:05:92:30:
         e6:77:7d:47:7f:f4:ad:f6:63:60:a1:d0:21:5c:78:13:90:6b:
         46:a0:99:50:d0:52:eb:c8:8d:8a:40:e8:3f:63:7f:b3:00:7e:
         ef:92:b1:57:92:51:9a:c3:c6:18:0f:50:e7:73:7e:f9:1c:db:
         6b:cc:3c:56:86:55:10:39:8d:e4:50:79:d1:19:2d:a9:38:70:
         26:ab:79:5a:99:15:b2:f7:d5:49:f7:13:93:30:2e:59:65:4d:
         00:45:ef:e3:2d:ce:b7:30:62:c8:80:4b:d7:23:b1:af:72:99:
         25:f7:74:60:db:f3:55:36:75:be:02:f7:44:28:3d:a9:91:dd:
         fb:84:fd:30:c0:5d:f8:5f:bc:88:c2:b9:c8:86:1c:a0:91:44:
         df:79:72:aa:0b:04:80:44:8e:4b:97:53:98:a8:f8:51:38:28:
         df:c6:f2:5f:09:de:f8:23:fe:6b:fa:a1:e8:78:25:26:21:bb:
         63:29:c2:38:c4:b4:25:81:05:85:9d:3f:4b:ab:24:23:9a:3d:
         38:aa:41:78:2d:93:31:63:0c:8c:3d:10:cd:a7:1a:56:16:04:
         85:db:cb:16:08:e5:0d:60:b0:4d:8c:4d:ad:19:62:ea:5f:5f:
         f6:7a:d6:e5:7f:03:6b:cc:e0:a8:d3:37:6d:3f:58:bc:75:7f:
         47:ce:6f:d1:52:81:c0:21:86:3c:f0:2b:e0:39:c6:c6:dc:60:
         27:db:91:37:db:3b:92:72:b4:71:23:16:91:a6:57:0a:78:1b:
         1e:c6:62:72:47:aa:2a:3e:d6:ef:41:18:33:68:be:2e:0e:68:
         5a:a6:81:11:00:0f:8b:9d:6b:7e:2f:f8:74:8c:db:07:48:4a:
         3b:cb:e5:8c:00:c5:d7:35:6a:cb:75:30:20:fe:b8:83:15:b2:
         7f:53:84:17:64:2e:82:e8

斯特雷斯:

read(3, "-----BEGIN CERTIFICATE-----\nMIIE"..., 4096) = 1781
close(3)                                = 0
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=3561, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=3561, ...}) = 0
read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., 4096) = 3561
lseek(3, -2269, SEEK_CUR)               = 1292
read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., 4096) = 2269
close(3)                                = 0
stat("/etc/pki/tls/certs/fcf31071.r0", 0x7fff7a6bf0c0) = -1 ENOENT (No such file or directory)
write(2, "error 3 at 0 depth lookup: unabl"..., 57error 3 at 0 depth lookup: unable to get certificate CRL
) = 57
openssl ssl-certificate certificate x509 hashicorp-vault
1个回答
0
投票

看来我尝试测试的功能不受支持。来自 Github 上的 OpenSSL 维护者:

I should have written that before - OpenSSL by itself does not support fetching the CRLs from any remote locations. It needs to be implemented by the application as @petrovr wrote above.

查看包含 nmroe 详细信息的完整线程此处

© www.soinside.com 2019 - 2024. All rights reserved.