首頁

ssl

由 datahunter 在 四, 12/11/2015 - 21:42 發表

最後更新: 2022-10-28

目錄

Public Key Infrastructure (PKI) System

 

 

Domain Validated (DV) Certificate: verifies your ownership of the domain

certificates are typically verified and issued through automated processes.
organization checks are eliminated
no identifying information in the organization name field.

作用:

 * transaction encryption

Organization Validated (OV) Certificate: proves that you own the domain and that your organization is legitimate.

This is reassuring to your site visitors, as a fraudulent website would never pass these checks.

Certification Authorities (CA) issuing these certificates check with third parties to establish the official name of the organization and where they are located.

The CA takes further steps to contact the requesting organization to confirm that they did,

indeed, request the certificate and that the requester is authorized to receive the certificate on behalf of the organization.

作用:

The end-user can use the certificate to verify that they are sending their transaction data to the intended recipient.

主體有:

O = Bank of China (Hong Kong) Ltd
STREET = 52/F Bank of China Twr, 1 Garden Rd, CENTRAL DISTRICT
...

Extended Validated (EV) SSL

offers the highest level of assurance(保證) to your customers – EV SSL applicants(申請人) must pass an extensive vetting(審批) process.

 * Green in the address bar (green bar or issuance name, see below)

 * ownership info to show up

 

Info

 

C = HK

L = Hong Kong

S = Hong Kong

PostalCode = 0000

 

Combine various certificates into single .pem

 

Certificate_list

This is a sequence (chain) of X.509v3 certificates. 

The sender's certificate must come first in the list.

Each following certificate must directly certify the one preceding it. 

Because certificate validation requires that root keys be distributed independently,

the self-signed certificate that specifies the root certificate authority may optionally be omitted from the chain,

under the assumption that the remote end must already possess it in order to validate it in any case.

Format(次序):

Cert
Chain

 

Subject Alternative Names (SAN)

 

~ Multi-Domain  Certificates

Background

The Subject Alternative Name extension was a part of the X509 certificate standard before 1999,

but it wasn't until the launch of Microsoft Exchange Server 2007 that it was commonly used;

this change makes good use of Subject Alternative Names by simplifying server configurations.

Now Subject Alternative Names are widely used for environments or

platforms that need to secure multiple sites (names) across different domains/subdomains.

 

Cross-signed Intermediate Certificates

 

Our intermediate is signed by ISRG Root X1. However, since we are a very new certificate authority, ISRG Root X1 is not yet trusted in most browsers. In order to be broadly trusted right away, our intermediate is also cross-signed by another certificate authority, IdenTrust, whose root is already trusted in all major browsers. Specifically, IdenTrust has cross-signed our intermediate using their DST Root CA X3.

That means there are two certificates available that both represent our intermediate. One is signed by DST Root CA X3, and the other is signed by ISRG Root X1. The easiest way to distinguish the two is by looking at their Issuer field.

it's not possible for an X.509 certificate (the type used by OpenSSL) to have more than one signature.

However, you can issue multiple certificates that will do the same job.

Checking

openssl x509 -in chain.pem -noout -text | grep "CA Issuers"

 

CSR (certificate signing request)

 

Format

PKCS#10: binary format for encoding CSRs for use with X.509. It is expressed in ASN.1.

一般存放 format: Base64 encoded PKCS#10

-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----

CSR contains

  • - information identifying the applicant (DN)
  • - public key

DN(Distinguished Names)

  • CN     Common Name
  • O     Organization Name
  • OU     Organizational Unit
  • L     Locality
  • ST     State
  • C     Country
  • EMAIL     Email Address

Sign 的過程

Applicants must first generate a key pair (private &  public key)

 * both the key pair and CSR must be created on the server

 

  private key(certificate authority)
              |
              | sign
              |
CSR ---> public key ---> certificate
   extract

 

CA bundle

 

A file that contains root and intermediate certificates.

CA bundle should be in a particular order,

cat-bundle.pem 結構

ca-bundle.pem 結構
Certificate 上一層
CA 下一層
CA

cat inter1.txt inter2.txt cat.txt > cat-bundle.pem

more info: cat

 

 

»
  • 瀏覽次數: 76959