Linux 使用 openssl 从服务器获取证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7885785/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using openssl to get the certificate from a server
提问by nasty pasty
I am trying to get the certificate of a remote server, which I can then use to add to my keystore and use within my java application.
我正在尝试获取远程服务器的证书,然后我可以将其添加到我的密钥库并在我的 Java 应用程序中使用。
A senior dev (who is on holidays :( ) informed me I can run this:
一位高级开发人员(正在休假 :( )告诉我我可以运行这个:
openssl s_client -connect host.host:9999
To get a raw certificate dumped out, which I can then copy and export. I receive the following output:
获取转储的原始证书,然后我可以复制和导出。我收到以下输出:
depth=1 /C=NZ/ST=Test State or Province/O=Organization Name/OU=Organizational Unit Name/CN=Test CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
23177:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40
23177:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
I have also tried with this option
我也试过这个选项
-showcerts
and this one (running on debian mind you)
还有这个(在 debian 上运行,请注意)
-CApath /etc/ssl/certs/
But get the same error.
但得到同样的错误。
This sourcesays I can use that CApath flag but it doesn't seem to help. I tried multiple paths to no avail.
这个消息来源说我可以使用那个 CApath 标志,但它似乎没有帮助。我尝试了多种路径都无济于事。
Please let me know where I'm going wrong.
请让我知道我哪里出错了。
采纳答案by nasty pasty
It turns out there is more complexity here: I needed to provide many more details to get this rolling. I think its something to do with the fact that its a connection that needs client authentication, and the hankshake needed more info to continue to the stage where the certificates were dumped.
事实证明这里有更多的复杂性:我需要提供更多的细节来实现这一点。我认为这与它的连接需要客户端身份验证有关,并且 hankshake 需要更多信息才能继续转储证书的阶段。
Here is my working command:
这是我的工作命令:
openssl s_client -connect host:port -key our_private_key.pem -showcerts \
-cert our_server-signed_cert.pem
Hopefully this is a nudge in the right direction for anyone who could do with some more info.
希望这对于任何可以使用更多信息的人来说都是朝着正确方向的推动。
回答by Ari Maniatis
With SNI
与 SNI
If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) you will need to send the correct hostname in order to get the right certificate.
如果远程服务器使用 SNI(即在单个 IP 地址上共享多个 SSL 主机),您将需要发送正确的主机名以获得正确的证书。
openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null
Without SNI
没有 SNI
If the remote server is not using SNI, then you can skip -servernameparameter:
如果远程服务器没有使用 SNI,那么您可以跳过-servername参数:
openssl s_client -showcerts -connect www.example.com:443 </dev/null
To view the full details of a site's cert you can use this chain of commands as well:
要查看站点证书的完整详细信息,您也可以使用以下命令链:
$ echo | \
openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | \
openssl x509 -text
回答by David Jaquay
While I agree with Ari's answer (and upvoted it :), I needed to do an extra step to get it to work with Java on Windows (where it needed to be deployed):
虽然我同意 Ari 的回答(并赞成 :),但我需要做一个额外的步骤才能让它在 Windows 上与 Java 一起使用(需要部署它的地方):
openssl s_client -showcerts -connect www.example.com:443 < /dev/null | openssl x509 -outform DER > derp.der
Before adding the openssl x509 -outform DERconversion, I was getting an error from keytool on Windows complaining about the certificate's format. Importing the .der file worked fine.
在添加openssl x509 -outform DER转换之前,我从 Windows 上的 keytool 收到一个错误,抱怨证书的格式。导入 .der 文件工作正常。
回答by kenorb
To get the certificate of remote server you can use openssltool and you can find it between BEGIN CERTIFICATEand END CERTIFICATEwhich you need to copy and paste into your certificate file (CRT).
要获取远程服务器的证书,你可以使用openssl的工具,你可以找到与它BEGIN CERTIFICATE和END CERTIFICATE你需要复制并粘贴到您的证书文件(CRT)的。
Here is the command demonstrating it:
这是演示它的命令:
ex +'/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect example.com:443) -scq > file.crt
To return all certificates from the chain, just add g(global) like:
要从链中返回所有证书,只需添加g(全局),如:
ex +'g/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect example.com:443) -scq
Then you can simply import your certificate file (file.crt) into your keychain and make it trusted, so Java shouldn't complain.
然后您可以简单地将您的证书文件 ( file.crt) 导入您的钥匙串并使其受信任,因此 Java 不应抱怨。
On OS X you can double-click on the file or drag and drop in your Keychain Access, so it'll appear in login/Certificates. Then double-click on the imported certificated and make it Always Trust for SSL.
在 OS X 上,您可以双击该文件或将其拖放到 Keychain Access 中,这样它就会出现在登录/证书中。然后双击导入的证书并将其设置为Always Trust for SSL。
On CentOS 5 you can append them into /etc/pki/tls/certs/ca-bundle.crtfile (and run: sudo update-ca-trust force-enable), or in CentOS 6 copy them into /etc/pki/ca-trust/source/anchors/and run sudo update-ca-trust extract.
在CentOS 5就可以附加他们到/etc/pki/tls/certs/ca-bundle.crt文件(并运行:sudo update-ca-trust force-enable),或在CentOS 6的将它们复制到/etc/pki/ca-trust/source/anchors/和运行sudo update-ca-trust extract。
In Ubuntu, copy them into /usr/local/share/ca-certificatesand run sudo update-ca-certificates.
在 Ubuntu 中,将它们复制到/usr/local/share/ca-certificates并运行sudo update-ca-certificates.
回答by Florian
The easiest command line for this, which includes the PEM output to add it to the keystore, as well as a human readable output and also supports SNI, which is important if you are working with an HTTP server is:
最简单的命令行,包括将其添加到密钥库的 PEM 输出,以及人类可读的输出,还支持 SNI,如果您使用 HTTP 服务器,这很重要:
openssl s_client -servername example.com -connect example.com:443 \
</dev/null 2>/dev/null | openssl x509 -text
The -servernameoption is to enable SNI support and the openssl x509 -textprints the certificate in human readable format.
该-servername选项是让SNI支持和OpenSSL的X509 -text打印出人类可读的格式的证书。
回答by Amos Shapira
For the benefit of others like me who tried to follow the good advice here when accessing AWS CloudFrontbut failed, the trick is to add -servername domain.name...
为了像我这样在访问AWS CloudFront时尝试遵循此处的好建议但失败的其他人的利益,诀窍是添加-servername domain.name...
回答by Andrei Aleksandrov
You can get and store the server root certificate using next bash script:
您可以使用下一个 bash 脚本获取和存储服务器根证书:
CERTS=$(echo -n | openssl s_client -connect $HOST_NAME:$PORT -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p')
echo "$CERTS" | awk -v RS="-----BEGIN CERTIFICATE-----" 'NR > 1 { printf RS HOST=gmail-pop.l.google.com
PORT=995
openssl s_client -servername $HOST -connect $HOST:$PORT < /dev/null 2>/dev/null | openssl x509 -outform pem
> "'$SERVER_ROOT_CERTIFICATE'"; close("'$SERVER_ROOT_CERTIFICATE'") }'
Just overwrite required variables.
只需覆盖所需的变量。
回答by akond
# MYHOST=myhost.com
# MYPORT=443
# openssl s_client -connect ${MYHOST}:${MYPORT} -showcerts 2>/dev/null </dev/null | awk '/^.*'"${MYHOST}"'/,/-----END CERTIFICATE-----/{next;}/-----BEGIN/,/-----END CERTIFICATE-----/{print}'
回答by Mathieu CARBONNEAUX
to print only the certificate chain and not the server's certificate:
仅打印证书链而不打印服务器的证书:
# update-ca-trust enable
# openssl s_client -connect ${MYHOST}:${MYPORT} -showcerts 2>/dev/null </dev/null | awk '/^.*'"${MYHOST}"'/,/-----END CERTIFICATE-----/{next;}/-----BEGIN/,/-----END CERTIFICATE-----/{print}' >/etc/pki/ca-trust/source/anchors/myca.cert
# update-ca-trust extract
to update CA trust on CentOS/RHEL 6/7 :
在 CentOS/RHEL 6/7 上更新 CA 信任:
# openssl s_client -connect ${MYHOST}:${MYPORT} -showcerts 2>/dev/null </dev/null | awk '/^.*'"${MYHOST}"'/,/-----END CERTIFICATE-----/{next;}/-----BEGIN/,/-----END CERTIFICATE-----/{print}' >>/etc/pki/tls/certs/ca-bundle.crt
on CentOS/RHEL 5:
在 CentOS/RHEL 5 上:
openssl s_client -connect www.google.com:443 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
回答by André Fernandes
A one-liner to extract the certificate from a remote server in PEM format, this time using sed:
从远程服务器以 PEM 格式提取证书的单行程序,这次使用sed:
