Find if a certificate is self signed or CA signed

前端 未结 5 1720
情歌与酒
情歌与酒 2021-02-02 11:59

I have a web app, which allows user to upload pkcs12. I store the pkcs12 as binary in database. Is there any way for me to know if the certificate in the pkcs12 is self signed

5条回答
  •  情话喂你
    2021-02-02 12:26

    Edit: there are two better answers on this question today:

    • https://stackoverflow.com/a/57927684/377270
    • https://stackoverflow.com/a/14515875/377270

    However, I think there's something more important to address -- why would one want to know about self-signed certificates. What's the goal? What problem is being solved? Probably trying to split certificates into two piles, self-signed and not-self-signed, is the wrong approach for most situations. The better approach is almost certainly going to be verifying that any given certificate has a valid signature chain from a trusted certificate authority, and that any connections associated with a given certificate matches the certificate.

    Here's the rest of my original answer. It's probably not what you want.


    It's a bit hacky, but the openssl x509 command can report both the issuer and the subject. If the subject and issuer are the same, it is self-signed; if they are different, then it was signed by a CA. (Strictly speaking, a great many self-signed certificates are also signed by a CA -- themselves.)

    While testing this theory, I ran a handful of tests; it runs something like:

    cd /etc/ssl/certs
    for f in *.0 ; do openssl x509 -in $f -issuer | head -1 > /tmp/$f.issuer ; openssl x509 -in $f -subject | head -1 > /tmp/$f.subject ; done
     cd /tmp
     sed -i -e s/issuer=// *.issuer
     sed -i -e s/subject=// *.subject
     cd /etc/ssl/certs/
     for f in *.0 ; do diff -u /tmp/$f.issuer /tmp/$f.subject ; done
    

    Hope this helps.

提交回复
热议问题