最近在学习了 SSL/TLS,涉及到了 web PKI(public key infrastructure)。东西还挺多的。记录下 root certificate 的查看。
linux 下的 root certificate 在哪里?
以 Ubuntu 为例,在 /etc/ssl/certs 下, 这个存放 root certificate 目录也被称之为 trust store。这是所有被信任的 root certificate。另外,macOS 是有专门的 Keychain Access 软件负责管理的。
stardust@os:certs$ pwd
/etc/ssl/certs
stardust@os:certs$ ls
02265526.0
03179a64.0
062cdee6.0
064e0aa9.0
06dc52d5.0
080911ac.0
09789157.0
0a775a30.0
0b1b94ef.0
0bf05006.0
0c31d5ce
0c4c9b6c.0
0f5dc4f3.0
0f6fa695.0
1001acf7.0
106f3e4d.0
116bf586.0
14bc7599.0
1636090b.0
18856ac4.0
1d3472b9.0
1e08bfd1.0
1e09d511.0
244b5494.0
2923b3f9.0
2ae6433e.0
2b349938.0
32888f65.0
349f2832.0
3513523f.0
3bde41ac.0
3e44d2f7.0
3e45d192.0
3fb36b73.0
40193066.0
4042bcee.0
40547a79.0
406c9bb1.0
4304c5e5.0
48bec511.0
4a6481c9.0
4b718d9b.0
4bfab552.0
4f316efb.0
5273a94c.0
5443e9e3.0
54657681.0
57bcb2da.0
5a4d6896.0
5ad8a5d6.0
5cd81ad7.0
5d3033c5.0
5e98733a.0
5f15c80c.0
5f618aec.0
607986c7.0
626dceaf.0
653b494a.0
68dd7389.0
6b99d060.0
6d41d539.0
6fa5da56.0
706f604c.0
749e9e03.0
75d1b2ed.0
76cb8f92.0
76faf6c0.0
7719f463.0
773e07ad.0
7aaf71c0.0
7f3d5d1d.0
8160b96c.0
8cb5ee0f.0
8d86cdd1.0
8d89cda1.0
930ac5d2.0
93bc0acc.0
988a38cb.0
9b5697b0.0
9c2e7d30.0
9c8dfbd4.0
9d04f354.0
a3418fda.0
a94d09e5.0
ACCVRAIZ1.pem
AC_RAIZ_FNMT-RCM.pem
Actalis_Authentication_Root_CA.pem
aee5f10d.0
AffirmTrust_Commercial.pem
AffirmTrust_Networking.pem
AffirmTrust_Premium_ECC.pem
AffirmTrust_Premium.pem
Amazon_Root_CA_1.pem
Amazon_Root_CA_2.pem
Amazon_Root_CA_3.pem
Amazon_Root_CA_4.pem
Atos_TrustedRoot_2011.pem
Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
b0e59380.0
b1159c4c.0
b66938e9.0
b727005e.0
b7a5b843.0
Baltimore_CyberTrust_Root.pem
bf53fb88.0
Buypass_Class_2_Root_CA.pem
Buypass_Class_3_Root_CA.pem
c01cdfa2.0
c01eb047.0
c0fb5232
c0fb5232.0
c28a8a30.0
c47d9980.0
ca6e4ad9.0
ca-certificates.crt
CA_Disig_Root_R2.pem
cbf06781.0
cc450945.0
cd58d51e.0
cd8c0d63.0
ce5e74ef.0
Certigna.pem
Certigna_Root_CA.pem
certSIGN_Root_CA_G2.pem
certSIGN_ROOT_CA.pem
Certum_Trusted_Network_CA_2.pem
Certum_Trusted_Network_CA.pem
CFCA_EV_ROOT.pem
Chambers_of_Commerce_Root_-_2008.pem
Comodo_AAA_Services_root.pem
COMODO_Certification_Authority.pem
COMODO_ECC_Certification_Authority.pem
COMODO_RSA_Certification_Authority.pem
Cybertrust_Global_Root.pem
d4dae3dd.0
d6325660.0
d7e8dc79.0
d853d49e.0
d887a5bb.0
dc4d6a89.0
dd8e9d41.0
de6d66f3.0
DigiCert_Assured_ID_Root_CA.pem
DigiCert_Assured_ID_Root_G2.pem
DigiCert_Assured_ID_Root_G3.pem
DigiCert_Global_Root_CA.pem
DigiCert_Global_Root_G2.pem
DigiCert_Global_Root_G3.pem
DigiCert_High_Assurance_EV_Root_CA.pem
DigiCert_Trusted_Root_G4.pem
D-TRUST_Root_Class_3_CA_2_2009.pem
D-TRUST_Root_Class_3_CA_2_EV_2009.pem
e113c810.0
e18bfb83.0
e36a6752.0
e73d606e.0
e868b802.0
e8de2f56.0
EC-ACC.pem
ee64a828.0
eed8c118.0
ef954a4e.0
emSign_ECC_Root_CA_-_C3.pem
emSign_ECC_Root_CA_-_G3.pem
emSign_Root_CA_-_C1.pem
emSign_Root_CA_-_G1.pem
Entrust.net_Premium_2048_Secure_Server_CA.pem
Entrust_Root_Certification_Authority_-_EC1.pem
Entrust_Root_Certification_Authority_-_G2.pem
Entrust_Root_Certification_Authority_-_G4.pem
Entrust_Root_Certification_Authority.pem
ePKI_Root_Certification_Authority.pem
e-Szigno_Root_CA_2017.pem
E-Tugra_Certification_Authority.pem
f081611a.0
f0c70a8d.0
f249de83.0
f30dd6ad.0
f3377b1b.0
f387163d.0
f39fc864.0
f51bb24c.0
fc5a8f99.0
fe8a2cd8.0
ff34af3f.0
GDCA_TrustAUTH_R5_ROOT.pem
GeoTrust_Primary_Certification_Authority_-_G2.pem
Global_Chambersign_Root_-_2008.pem
GlobalSign_ECC_Root_CA_-_R4.pem
GlobalSign_ECC_Root_CA_-_R5.pem
GlobalSign_Root_CA.pem
GlobalSign_Root_CA_-_R2.pem
GlobalSign_Root_CA_-_R3.pem
GlobalSign_Root_CA_-_R6.pem
Go_Daddy_Class_2_CA.pem
Go_Daddy_Root_Certificate_Authority_-_G2.pem
GTS_Root_R1.pem
GTS_Root_R2.pem
GTS_Root_R3.pem
GTS_Root_R4.pem
Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
Hongkong_Post_Root_CA_1.pem
Hongkong_Post_Root_CA_3.pem
IdenTrust_Commercial_Root_CA_1.pem
IdenTrust_Public_Sector_Root_CA_1.pem
ISRG_Root_X1.pem
Izenpe.com.pem
java
Microsec_e-Szigno_Root_CA_2009.pem
Microsoft_ECC_Root_Certificate_Authority_2017.pem
Microsoft_RSA_Root_Certificate_Authority_2017.pem
NAVER_Global_Root_Certification_Authority.pem
'NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem'
Network_Solutions_Certificate_Authority.pem
OISTE_WISeKey_Global_Root_GB_CA.pem
OISTE_WISeKey_Global_Root_GC_CA.pem
QuoVadis_Root_CA_1_G3.pem
QuoVadis_Root_CA_2_G3.pem
QuoVadis_Root_CA_2.pem
QuoVadis_Root_CA_3_G3.pem
QuoVadis_Root_CA_3.pem
QuoVadis_Root_CA.pem
Secure_Global_CA.pem
SecureSign_RootCA11.pem
SecureTrust_CA.pem
Security_Communication_RootCA2.pem
Security_Communication_Root_CA.pem
Sonera_Class_2_Root_CA.pem
ssl-cert-snakeoil.pem
SSL.com_EV_Root_Certification_Authority_ECC.pem
SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
SSL.com_Root_Certification_Authority_ECC.pem
SSL.com_Root_Certification_Authority_RSA.pem
Staat_der_Nederlanden_EV_Root_CA.pem
Staat_der_Nederlanden_Root_CA_-_G3.pem
Starfield_Class_2_CA.pem
Starfield_Root_Certificate_Authority_-_G2.pem
Starfield_Services_Root_Certificate_Authority_-_G2.pem
SwissSign_Gold_CA_-_G2.pem
SwissSign_Silver_CA_-_G2.pem
SZAFIR_ROOT_CA2.pem
TeliaSonera_Root_CA_v1.pem
TrustCor_ECA-1.pem
TrustCor_RootCert_CA-1.pem
TrustCor_RootCert_CA-2.pem
Trustis_FPS_Root_CA.pem
Trustwave_Global_Certification_Authority.pem
Trustwave_Global_ECC_P256_Certification_Authority.pem
Trustwave_Global_ECC_P384_Certification_Authority.pem
T-TeleSec_GlobalRoot_Class_2.pem
T-TeleSec_GlobalRoot_Class_3.pem
TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem
TWCA_Global_Root_CA.pem
TWCA_Root_Certification_Authority.pem
UCA_Extended_Validation_Root.pe
UCA_Global_G2_Root.pem
USERTrust_ECC_Certification_Authority.pem
USERTrust_RSA_Certification_Authority.pem
VeriSign_Universal_Root_Certification_Authority.pem
XRamp_Global_CA_Root.pem
可以看到有较多的root certifiate
以掘金为例查看使用的到底是哪一个 root certificate?
可以看到 juejin.cn 的 root certificate 是 DigiCert Global Root CA。
怎样在 /etc/ssl/certs 里找到这个 certificate?
查看文件发现有 DigiCert_Global_Root_CA.pem。
openssl decode 这个 certificate
stardust@os:certs$ openssl x509 -text -in DigiCert_Global_Root_CA.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Validity
Not Before: Nov 10 00:00:00 2006 GMT
Not After : Nov 10 00:00:00 2031 GMT
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
af:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
X509v3 Authority Key Identifier:
keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
Signature Algorithm: sha1WithRSAEncryption
cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
95:95:6d:de
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
可以比对 serial number 和 pubic key,发现正是这个 root certificate。
