我需要什么 SSL 证书?
我正在开发将使用 clickonce 进行部署的软件(在网站 foo.com 上),然后将使用带有加密传输的 WCF 连接到我的服务器
所以我需要一个 SSL 证书,它将:
- 识别我的 foo.com 网站有确实是我的网站
- 识别我使用 clickonce 部署的 exe 是否为正版
- 识别我的应用程序服务器确实是我的应用程序服务器。
我还希望我的 SSL 证书由公众所知的权威机构签名(即,firefox 或 windows 不会要求用户先安装该机构的证书!)
您会购买什么 SSL 证书?
我浏览过 Verisign 网站,“Secure Site EV”证书每年费用为 1150 欧元(“Pro”版本似乎仅用于与旧浏览器兼容)
I'm developing software which will be deployed using clickonce (on the website foo.com), and which will then connect to my server using WCF with an encrypted transport
So I need an SSL certificate which will :
- Identify my foo.com website has really being my website
- Identify the exe I deploy using clickonce as being genuine
- Identify my application server has really being my application server.
I also want my SSL certificate to be signed by an authority known to the public (ie, firefox or windows won't ask the user to install the authority's certificate first !)
What SSL certificate would you buy?
I've browsed the Verisign website, the "Secure Site EV" certificate costs 1150€ a year (the "Pro" version seems useful only for compatibility with older browsers)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
听起来您正在寻找两种不同类型的证书:
1 - SSL 证书 - 用于网站/应用程序服务器的身份验证。
2 - 代码签名证书 - 用于验证您提供的 exe 的完整性/身份验证。
通常,这是两个不同的证书,具有两个不同的证书配置文件。 至少,您需要一个具有两种不同密钥用法或扩展密钥用法的证书。
一些想法(排名不分先后):
检查您的目标浏览器,它们每个都应该有一组预配置的根证书 - 这些是最广泛认可的公共证书源。 我可能会检查 Firefox 和 IE。 我所知道的大牌证书供应商有:Versign、GeoTrust、RSA、Thawte、Entrust。 但还有 GoDaddy 和许多其他公司。 提供的浏览器中作为受信任根证书提供的任何内容都将允许您连接到您的用户,而无需额外的 greif。
我建议谷歌搜索“代码签名证书”和“SSL 证书”。
您配置站点的方式将决定您的网站是否经过验证或您的身份验证服务器是否经过验证。 如果证书存储在应用程序服务器上,那么您的用户将在到达服务器的整个过程中获得 SSL 加密。 但许多网站将 SSL 证书放在更前面的位置 - 就像在防火墙上一样,然后在其后面放置一组应用程序服务器。 只要仔细配置网络,我就没有发现其中存在安全缺陷。 对于外部用户来说,这两种配置看起来是一样的 - 他们将获得浏览器的锁定和一个证书,告诉他们 www.foo.com 正在提供其凭据。
我看到 SSL 证书非常优惠:
- GoDaddy - 12.99 美元
- Register.com - $14.99
但它们不一定是代码签名证书。 例如,虽然 GoDaddy 的 SSL 证书价格为 12.99 美元,但他们的代码签名证书 为 199.99 美元! 这是许多证书供应商商业模式的一部分 - 用廉价的 SSL 证书引诱您,并让您支付代码签名费用。 可以说代码签名证书的责任相对较高。 而且……他们还必须以某种方式补贴廉价的 SSL 证书。
从理论上讲,应该可以制作一个同时进行代码签名和 SSL 的证书,但我不确定您是否想要这样做。 如果发生什么事情,最好能够隔离这两个功能。 另外,我很确定您必须打电话给证书供应商并询问他们是否这样做了,如果他们没有这样做,那么让他们这样做可能会将价格推得相当高。
就供应商而言,需要考虑的事项:
最后一点 - 如果您深入研究世界各地的威瑞信 - 非常昂贵的证书 - 您可能会看到其价值。 他们拥有庞大的基础设施,并且非常重视 CA 的安全性。 我不太确定超便宜的托管服务。 也就是说,如果您的风险较低,与 12.99 美元相比,300 美元的 SSL 证书并没有多大意义!
It sounds like you're looking for two different types of certificates:
1 - SSL Certificate - for authentication of your website/application server.
2 - Code Signing Certificate - for integrity/authentication of the exe you deliver.
Typically those are two different certificates, with two different certificate profiles. At the very least, you need one certificate with two different key usages or extended key usages.
A few thoughts in no specific order:
Check your targeted browsers, they should each have a set of preconfigured root certificates - those are the most widely recognized public certificate sources. I'd probably check both Firefox and IE. Certificate vendors known to me as big names are - Versign, GeoTrust, RSA, Thawte, Entrust. But there's also GoDaddy and many others. Anything that comes in the delivered browser as a Trusted Root Certificate, will allow you to connect to your users without additional greif.
I suggest Googling for both "code signing certificate" and "SSL certificate".
How you configure your site will determine whether or not your website is validated or your authentication server is validated. If the certificate is stored on the apps server, then your user is getting SSL encryption all the way to the server. But many sites put the SSL certificate a little farther forward - like on a firewall, and then stage a collection of apps servers behind it. I don't see a security flaw in that, so long as the networking is carefully configured. To the outside users, both configurations will look the same - they'll get the lock on their browsers and a certificate that tells them that www.foo.com is offering it's credentials.
I'm seeing pretty great deals for SSL Certificates:
- GoDaddy - $12.99
- Register.com - $14.99
But they aren't necessarily code signing certifiates. For example, while GoDaddy's SSL Cert is $12.99, their code signing certs are $199.99! That's part of many certificate vendors business models - lure you in with cheap SSL Certs, and make you pay for code signing. A case could be made that code signing certificates are relatively higher liability. But also... they have to subsidize the cheap SSL certs somehow.
Theoretically, it should be possible to make a certificate that does both code signing and SSL, but I'm not sure you want that. If something should happen, it would be nice to be able to isolate the two functions. Also, I'm pretty sure you'd have to call the certificate vendors and ask if they did this, and if they don't, having them do it will likely jack up the price quite high.
As far as vendor, things to consider:
On that last bullet - if you dig into the Verisigns of the world - the very expensive certs - you're likely to see the value. They have a massive infrastructure and take the security of their CAs very seriously. I'm not so sure about the super-cheap hosting services. That said, if your risk is low, US$300 for an SSL Cert doesn't make much sense compared to US$12.99!!
因此,对于网站/应用程序服务器,您需要 SSL 证书。 您不需要需要 EV 证书。 为此,我使用了 QuickSSL 的证书,因为与其他一些廉价证书提供商不同,它们不需要在服务器上安装中间证书 - 这对我来说不是一个人。
对于签署应用程序来说,这是一种完全不同类型的证书(在某种程度上,它仍然是 X509 证书,但您用于网站的证书不能用于签署应用程序)。 您需要来自 Verisign 或 Globalsign。 这些证书比普通的旧 SSL 证书贵得多,并且要求您是一家注册公司并提供这些文件。
So for web site / application servers you need an SSL certificate. You do not need an EV certificate. I've used ones from QuickSSL for this, as unlike some of the other cheap certificate providers they don't require the installation of an intermediate certificate on the server - that's a no-one for me.
For signing applications that's a different type of certificate altogether (kind of, it's still an X509 certificate, but the one you use for your web site is not one you can use to sign an application). You need an authenticode signing certificate from the likes of Verisign or Globalsign. These are a magnitude more expensive than a plain old SSL certificate and require you to be an incorporated company and produce those documents.