C\C++安装DigiCert根证书的教程

  • A+
所属分类:技术教程

使用C\C++开发的应用程序,如何安装SSL证书呢?一般C\C++程序是使用libcurl库发起https请求, libcurl支持多种SSL\TLS引擎, 如 OpenSSL, SChanel, NSS等。接下来,我们将以OpenSSL为例,为大家分享C\C++安装DigiCert根证书的教程步骤。

1、查看OpenSSL根证书信任文件路径. 执行命令行 openssl version –a ,输出结果中的 OPENSSLDIR就是根证书信任文件路径

C\C++安装DigiCert根证书的教程

2、配置host,然后使用以下命令行, 确认操作系统内置的根证书中, 是否支持DigiCert根证书

$ openssl s_client -connect api.mch.weixin.qq.com:443 -verify_return_error -CApath $OPENSSLDIR

正常的输出为:

keytool.exe -importcert -keystore cacerts -storepass changeit -noprompt -file ./ DigiCert_Global_Root_CA.der -alias ” digicertglobalrootca”

(证书格式需要为der)

keytool -list -keystore cacerts -storepass changeit

(digicert证书的别名为: digicertglobalrootca 或者 baltimorecybertrustca)

keytool -importcert -keystore cacerts -storepass changeit -noprompt -file ./ DigiCert_Global_Root_CA.der -alias ” digicertglobalrootca

(证书格式需要为der)

keytool.exe -list -keystore cacerts -storepass changeit

(digicert证书的别名为: digicertglobalrootca 或者 baltimorecybertrustca)

depth=3 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root

verify return:1

depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

verify return:1

depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018

verify return:1

depth=0 C = CN, L = Shenzhen, O = Tencent Technology (Shenzhen) Company Limited, OU = R&D, CN = payapp.weixin.qq.com

verify return:1

CONNECTED(00000003)

Certificate chain

0 s:/C=CN/L=Shenzhen/O=Tencent Technology (Shenzhen) Company Limited/OU=R&D/CN=payapp.weixin.qq.com

i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

缺少DigiCert根证书时, 可能输出的错误信息为:

depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

verify error:num=20:unable to get local issuer certificate

verify return:0

CONNECTED(00000003)

3、安装DigiCert根证书,常见的linux发行版本的操作命令如下:

1)Ubuntu和 Debian

查看根证书

确认操作系统上,是否存在以下文件:

/etc/ssl/certs/DigiCert_Global_Root_CA.pem

/etc/ssl/certs/Baltimore_CyberTrust_Root.pem

安装根证书

复制根证书文件到 /usr/local/share/ca-certificates/

安装根证书: sudo update-ca-certificates

2)CentOs和Red Hat Enterprise Linux

查看根证书

确认/etc/pki/tls/certs/ca-bundle.crt文件中, 是否存在以下内容:

DigiCert Global Root CA

Serial Number: 08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a

Baltimore CyberTrust Root

Serial Number: 0x20000b9

安装根证书

安装根证书管理包软件: yum install ca-certificates

打开根证书动态配置开关: update-ca-trust force-enable

将DigiCert的根证书文件复制到: /etc/pki/ca-trust/source/anchors/

安装根证书: update-ca-trust extract

相关阅读推荐:证书链是什么?证书链验证过程解读

(本文由美国主机资讯原创,转载请注明!)

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin
avatar