使用C\\C++开发的应用程序,如何安装SSL证书呢?一般C\\C++程序是使用libcurl库发起https请求, libcurl支持多种SSL\\TLS引擎, 如 OpenSSL, SChanel, NSS等。接下来,我们将以OpenSSL为例,为大家分享C\\C++安装DigiCert根证书的教程步骤。
1、查看OpenSSL根证书信任文件路径. 执行命令行 openssl version –a ,输出结果中的 OPENSSLDIR就是根证书信任文件路径
2、配置host,然后使用以下命令行, 确认操作系统内置的根证书中, 是否支持DigiCert根证书
$ openssl s_client -connect api.mch.weixin.qq.com:443 -verify_return_error -CApath $OPENSSLDIR
正常的输出为:
keytool.exe -importcert -keystore cacerts -storepass changeit -noprompt -file ./ DigiCert_Global_Root_CA.der -alias ” digicertglobalrootca”
(证书格式需要为der)
keytool -list -keystore cacerts -storepass changeit
(digicert证书的别名为: digicertglobalrootca 或者 baltimorecybertrustca)
keytool -importcert -keystore cacerts -storepass changeit -noprompt -file ./ DigiCert_Global_Root_CA.der -alias ” digicertglobalrootca
(证书格式需要为der)
keytool.exe -list -keystore cacerts -storepass changeit
(digicert证书的别名为: digicertglobalrootca 或者 baltimorecybertrustca)
depth=3 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018
verify return:1
depth=0 C = CN, L = Shenzhen, O = Tencent Technology (Shenzhen) Company Limited, OU = R&D, CN = payapp.weixin.qq.com
verify return:1
CONNECTED(00000003)
—
Certificate chain
0 s:/C=CN/L=Shenzhen/O=Tencent Technology (Shenzhen) Company Limited/OU=R&D/CN=payapp.weixin.qq.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
—
3、安装DigiCert根证书,常见的linux发行版本的操作命令如下:
1)Ubuntu和 Debian
查看根证书:
确认操作系统上,是否存在以下文件:
/etc/ssl/certs/DigiCert_Global_Root_CA.pem
/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
安装根证书:
复制根证书文件到 /usr/local/share/ca-certificates/
安装根证书: sudo update-ca-certificates
2)CentOs和Red Hat Enterprise Linux
查看根证书:
确认/etc/pki/tls/certs/ca-bundle.crt文件中, 是否存在以下内容:
DigiCert Global Root CA
Serial Number: 08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
Baltimore CyberTrust Root
Serial Number: 0x20000b9
安装根证书:
安装根证书管理包软件: yum install ca-certificates
打开根证书动态配置开关: update-ca-trust force-enable
将DigiCert的根证书文件复制到: /etc/pki/ca-trust/source/anchors/
安装根证书: update-ca-trust extract
相关阅读推荐:证书链是什么?证书链验证过程解读
