查找证书是自签名的还是 CA 签名的

Find if a certificate is self signed or CA signed(查找证书是自签名的还是 CA 签名的)

本文介绍了查找证书是自签名的还是 CA 签名的的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!


我有一个网络应用程序,它允许用户上传 pkcs12.我将 pkcs12 作为二进制文件存储在数据库中.有什么方法可以让我知道 pkcs12 中的证书是自签名的还是 CA 签名的?

I have a web app, which allows user to upload pkcs12. I store the pkcs12 as binary in database. Is there any way for me to know if the certificate in the pkcs12 is self signed or CA signed?

我在 tomcat 上运行 Java Web 应用程序,并且可以使用 openssl.

I am running a Java web app on tomcat and have openssl at my disposal.



there are two better answers on this question today:

  • https://stackoverflow.com/a/57927684/377270
  • https://stackoverflow.com/a/14515875/377270


However, I think there's something more important to address -- why would one want to know about self-signed certificates. What's the goal? What problem is being solved? Probably trying to split certificates into two piles, self-signed and not-self-signed, is the wrong approach for most situations. The better approach is almost certainly going to be verifying that any given certificate has a valid signature chain from a trusted certificate authority, and that any connections associated with a given certificate matches the certificate.


Here's the rest of my original answer. It's probably not what you want.

有点hacky,但是openssl x509命令可以同时报告issuer和subject.如果主题和发行者相同,则为自签名;如果它们不同,那么它是由 CA 签署的.(严格来说,很多自签名证书由 CA 签名——他们自己.)

It's a bit hacky, but the openssl x509 command can report both the issuer and the subject. If the subject and issuer are the same, it is self-signed; if they are different, then it was signed by a CA. (Strictly speaking, a great many self-signed certificates are also signed by a CA -- themselves.)


While testing this theory, I ran a handful of tests; it runs something like:

cd /etc/ssl/certs
for f in *.0 ; do openssl x509 -in $f -issuer | head -1 > /tmp/$f.issuer ; openssl x509 -in $f -subject | head -1 > /tmp/$f.subject ; done
 cd /tmp
 sed -i -e s/issuer=// *.issuer
 sed -i -e s/subject=// *.subject
 cd /etc/ssl/certs/
 for f in *.0 ; do diff -u /tmp/$f.issuer /tmp/$f.subject ; done


这篇关于查找证书是自签名的还是 CA 签名的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!

本文标题为:查找证书是自签名的还是 CA 签名的
