最後更新: 2022-10-28


Public Key Infrastructure (PKI) System



Domain Validated (DV) Certificate: verifies your ownership of the domain

certificates are typically verified and issued through automated processes.
organization checks are eliminated
no identifying information in the organization name field.


 * transaction encryption

Organization Validated (OV) Certificate: proves that you own the domain and that your organization is legitimate.

This is reassuring to your site visitors, as a fraudulent website would never pass these checks.

Certification Authorities (CA) issuing these certificates check with third parties to establish the official name of the organization and where they are located.

The CA takes further steps to contact the requesting organization to confirm that they did,

indeed, request the certificate and that the requester is authorized to receive the certificate on behalf of the organization.


The end-user can use the certificate to verify that they are sending their transaction data to the intended recipient.


O = Bank of China (Hong Kong) Ltd
STREET = 52/F Bank of China Twr, 1 Garden Rd, CENTRAL DISTRICT

Extended Validated (EV) SSL

offers the highest level of assurance(保證) to your customers – EV SSL applicants(申請人) must pass an extensive vetting(審批) process.

 * Green in the address bar (green bar or issuance name, see below)

 * ownership info to show up




C = HK

L = Hong Kong

S = Hong Kong

PostalCode = 0000


Combine various certificates into single .pem



This is a sequence (chain) of X.509v3 certificates. 

The sender's certificate must come first in the list.

Each following certificate must directly certify the one preceding it. 

Because certificate validation requires that root keys be distributed independently,

the self-signed certificate that specifies the root certificate authority may optionally be omitted from the chain,

under the assumption that the remote end must already possess it in order to validate it in any case.




Subject Alternative Names (SAN)


~ Multi-Domain  Certificates


The Subject Alternative Name extension was a part of the X509 certificate standard before 1999,

but it wasn't until the launch of Microsoft Exchange Server 2007 that it was commonly used;

this change makes good use of Subject Alternative Names by simplifying server configurations.

Now Subject Alternative Names are widely used for environments or

platforms that need to secure multiple sites (names) across different domains/subdomains.


Cross-signed Intermediate Certificates


Our intermediate is signed by ISRG Root X1. However, since we are a very new certificate authority, ISRG Root X1 is not yet trusted in most browsers. In order to be broadly trusted right away, our intermediate is also cross-signed by another certificate authority, IdenTrust, whose root is already trusted in all major browsers. Specifically, IdenTrust has cross-signed our intermediate using their DST Root CA X3.

That means there are two certificates available that both represent our intermediate. One is signed by DST Root CA X3, and the other is signed by ISRG Root X1. The easiest way to distinguish the two is by looking at their Issuer field.

it's not possible for an X.509 certificate (the type used by OpenSSL) to have more than one signature.

However, you can issue multiple certificates that will do the same job.


openssl x509 -in chain.pem -noout -text | grep "CA Issuers"


CSR (certificate signing request)



PKCS#10: binary format for encoding CSRs for use with X.509. It is expressed in ASN.1.

一般存放 format: Base64 encoded PKCS#10


CSR contains

  • - information identifying the applicant (DN)
  • - public key

DN(Distinguished Names)

  • CN     Common Name
  • O     Organization Name
  • OU     Organizational Unit
  • L     Locality
  • ST     State
  • C     Country
  • EMAIL     Email Address

Sign 的過程

Applicants must first generate a key pair (private &  public key)

 * both the key pair and CSR must be created on the server


  private key(certificate authority)
              | sign
CSR ---> public key ---> certificate


CA bundle


A file that contains root and intermediate certificates.

CA bundle should be in a particular order,

cat-bundle.pem 結構

ca-bundle.pem 結構
Certificate 上一層
CA 下一層

cat inter1.txt inter2.txt cat.txt > cat-bundle.pem

more info: cat