以阿里云免费邮箱为例
1. 如何下载证书链
证书链说明
使用 gnutls
gnutls-cli --print-cert smtp.aliyun.com:465 < /dev/null > aliyun-chain.certs
使用 openssl showcerts
$ echo -n | openssl s_client -showcerts -connect smtp.aliyun.com:465 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./tmp/aliyun-chain.pem
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = mail.aliyun.com
verify return:1
DONE
生成所列出的证书链放入 ./tmp/aliyun-chain.pem
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
查看证书
$ openssl crl2pkcs7 -nocrl -certfile ./tmp/aliyun-chain.pem | openssl pkcs7 -print_certs -noout
subject=C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = mail.aliyun.com
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
issuer=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
issuer=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
2. 把证书分开为单独的证书文件
手动拷贝或者用脚本
以./tmp/aliyun-chain.pem 为例,使用 awk
awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/{if(/-----BEGIN CERTIFICATE-----/){a++}; out="./tmp/aliyun-cert"a".pem"; print > out}' ./tmp/aliyun-chain.pem
将 ./tmp-aliyun-chain.pem 里的三个证书,生成三个文件 aliyun-cert1.pem aliyun-cert2.pem aliyun-cert3.pem
查看证书
$ openssl crl2pkcs7 -nocrl -certfile ./tmp/aliyun-cert1.pem | openssl pkcs7 -print_certs -noout
subject=C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = mail.aliyun.com
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
$ openssl crl2pkcs7 -nocrl -certfile ./tmp/aliyun-cert2.pem | openssl pkcs7 -print_certs -noout
subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
issuer=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
$ openssl crl2pkcs7 -nocrl -certfile ./tmp/aliyun-cert3.pem | openssl pkcs7 -print_certs -noout
subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
issuer=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
3. 获取证书名
$ echo -n | openssl s_client -showcerts -connect smtp.aliyun.com:465 | grep i: | sed -e 's,.*=,,' > ./tmp/aliyuncert-issuer-names
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = mail.aliyun.com
verify return:1
DONE
上面从通过获取签发者名字得到三个证书的名字
$ cat ./tmp/aliyuncert-issuer-names
GlobalSign Organization Validation CA - SHA256 - G2
GlobalSign Root CA
GlobalSign Root CA
与 subject 中的名字不同
$ echo -n | openssl s_client -showcerts -connect smtp.aliyun.com:465 | grep s: | sed -e 's,.*=,,' > ./tmp/aliyuncert-subject-names
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = mail.aliyun.com
verify return:1
DONE
$ cat ./tmp/aliyuncert-subject-names
mail.aliyun.com
GlobalSign Organization Validation CA - SHA256 - G2
GlobalSign Root CA
上面使用 subject 的名字作为证书的名字,由于阿里云的证书链的两级签发者相同,因此可以使用subject作为证书的名字导入数据库
https://blog.csdn.net/RayMonD_D/article/details/104152933
https://www.cnblogs.com/itbox/p/13207227.html
https://blog.csdn.net/ayychiguoguo/article/details/120849766
https://www.cnblogs.com/yeyu1314/p/10167944.html
