最後更新: 2022-10-28
目錄
Public Key Infrastructure (PKI) System
Domain Validated (DV) Certificate: verifies your ownership of the domain
certificates are typically verified and issued through automated processes.
organization checks are eliminated
no identifying information in the organization name field.
作用:
* transaction encryption
Organization Validated (OV) Certificate: proves that you own the domain and that your organization is legitimate.
This is reassuring to your site visitors, as a fraudulent website would never pass these checks.
Certification Authorities (CA) issuing these certificates check with third parties to establish the official name of the organization and where they are located.
The CA takes further steps to contact the requesting organization to confirm that they did,
indeed, request the certificate and that the requester is authorized to receive the certificate on behalf of the organization.
作用:
The end-user can use the certificate to verify that they are sending their transaction data to the intended recipient.
主體有:
O = Bank of China (Hong Kong) Ltd STREET = 52/F Bank of China Twr, 1 Garden Rd, CENTRAL DISTRICT ...
Extended Validated (EV) SSL
offers the highest level of assurance(保證) to your customers – EV SSL applicants(申請人) must pass an extensive vetting(審批) process.
* Green in the address bar (green bar or issuance name, see below)
* ownership info to show up
Info
C = HK
L = Hong Kong
S = Hong Kong
PostalCode = 0000
Combine various certificates into single .pem
Certificate_list
This is a sequence (chain) of X.509v3 certificates.
The sender's certificate must come first in the list.
Each following certificate must directly certify the one preceding it.
Because certificate validation requires that root keys be distributed independently,
the self-signed certificate that specifies the root certificate authority may optionally be omitted from the chain,
under the assumption that the remote end must already possess it in order to validate it in any case.
Format(次序):
Cert Chain
Subject Alternative Names (SAN)
~ Multi-Domain Certificates
Background
The Subject Alternative Name extension was a part of the X509 certificate standard before 1999,
but it wasn't until the launch of Microsoft Exchange Server 2007 that it was commonly used;
this change makes good use of Subject Alternative Names by simplifying server configurations.
Now Subject Alternative Names are widely used for environments or
platforms that need to secure multiple sites (names) across different domains/subdomains.
Cross-signed Intermediate Certificates
Our intermediate is signed by ISRG Root X1. However, since we are a very new certificate authority, ISRG Root X1 is not yet trusted in most browsers. In order to be broadly trusted right away, our intermediate is also cross-signed by another certificate authority, IdenTrust, whose root is already trusted in all major browsers. Specifically, IdenTrust has cross-signed our intermediate using their DST Root CA X3.
That means there are two certificates available that both represent our intermediate. One is signed by DST Root CA X3, and the other is signed by ISRG Root X1. The easiest way to distinguish the two is by looking at their Issuer field.
it's not possible for an X.509 certificate (the type used by OpenSSL) to have more than one signature.
However, you can issue multiple certificates that will do the same job.
Checking
openssl x509 -in chain.pem -noout -text | grep "CA Issuers"
CSR (certificate signing request)
Format
PKCS#10: binary format for encoding CSRs for use with X.509. It is expressed in ASN.1.
一般存放 format: Base64 encoded PKCS#10
-----BEGIN CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST-----
CSR contains
- - information identifying the applicant (DN)
- - public key
DN(Distinguished Names)
- CN Common Name
- O Organization Name
- OU Organizational Unit
- L Locality
- ST State
- C Country
- EMAIL Email Address
Sign 的過程
Applicants must first generate a key pair (private & public key)
* both the key pair and CSR must be created on the server
private key(certificate authority) | | sign | CSR ---> public key ---> certificate extract
CA bundle
A file that contains root and intermediate certificates.
CA bundle should be in a particular order,
cat-bundle.pem 結構
ca-bundle.pem 結構 Certificate 上一層 CA 下一層 CA
cat inter1.txt inter2.txt cat.txt > cat-bundle.pem
more info: cat