46.6. Проверка сертификата
Просмотреть данные сертификата можно, выполнив команду:
# openssl x509 -in /var/lib/samba/private/tls/myCert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
32:9d:8f:2f:95:46:59:8d:9d:56:1c:da:14:b1:03:0c:82:ed:96:d0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = RU, CN = dc1.test.alt
Validity
Not Before: Jan 8 16:24:09 2025 GMT
Not After : Jan 8 16:24:09 2026 GMT
Subject: C = RU, CN = dc1.test.alt
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
.....{.....}.....
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
45:2E:E1:87:EE:54:77:E1:88:86:C6:48:DB:99:E6:EA:36:CA:D5:79
X509v3 Authority Key Identifier:
keyid:45:2E:E1:87:EE:54:77:E1:88:86:C6:48:DB:99:E6:EA:36:CA:D5:79
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
.....{.....}.....
Локальная проверка сертификата:
# openssl verify /var/lib/samba/private/tls/myCert.pem
C = RU, CN = dc1.test.alt
error 18 at 0 depth lookup: self signed certificate
OK
Если в файле
smb.conf указан файл CA, следует использовать следующую команду:
# openssl verify /var/lib/samba/private/tls/myCert.pem -CAfile /path/to/ca-file.pem
Проверка сертификата удаленно (через TCP):
# openssl s_client -showcerts -connect dc1.test.alt:636
CONNECTED(00000003)
depth=0 C = RU, CN = dc1.test.alt
verify error:num=18:self signed certificate
verify return:1
depth=0 C = RU, CN = dc1.test.alt
verify return:1
---
Certificate chain
0 s:C = RU, CN = dc1.test.alt
i:C = RU, CN = dc1.test.alt
-----BEGIN CERTIFICATE-----
.....{.....}.....
-----END CERTIFICATE-----
---
Server certificate
subject=C = RU, CN = dc1.test.alt
issuer=C = RU, CN = dc1.test.alt
---
No client certificate CA names sent
Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1437 bytes and written 424 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
Выйти из s_client можно, нажав [Ctrl]+[C].
Если в файле
smb.conf указан файл CA, следует использовать следующую команду:
# openssl s_client -showcerts -connect localhost:636 -CAfile /path/to/ca-file.pem
