自签名证书问题

发布于 2024-07-14 15:10:17 字数 541 浏览 9 评论 0原文

我正在我的测试环境中进行自签名证书。 这是有关我正在做的事情的更多详细信息。

http://www.hanselman.com/blog/SigningPowerShellScripts.aspx

我的简要步骤是(目的是在计算机C和计算机A之间建立基于证书的信任连接),

  1. 通过makecert.exe将计算机A设置为根CA;
  2. 自签名证书 B,由计算机 A 作为根 CA 颁发;
  3. 在计算机A上安装证书B作为通信用的证书;
  4. 将根 CA(计算机 A)安装/信任到计算机 C;
  5. 那么计算机C将信任计算机A使用证书B的通信。

我的困惑是,计算机C信任计算机A而不安装证书B? 我认为根CA的证书和对方的证书都需要安装。 有什么意见或想法吗?

提前致谢, 乔治

I am doing self-signing certificate in my test environment. Here is more details about what I am doing.

http://www.hanselman.com/blog/SigningPowerShellScripts.aspx

My brief steps are (the purpose is to establish trust connection between computer C and computer A based on certificate),

  1. Making computer A a root CA by using makecert.exe;
  2. Self sign a certificate B which is issued by computer A as root CA;
  3. Install certificate B on computer A as certificate used to do communication;
  4. Install/trust root CA (compter A) into computer C;
  5. Then computer C will trust computer A's communication using certificate B.

My confusion is, computer C trusts computer A without installing certificate B? I think both root CA's certificate and the other party's certificate are needed to be installed. Any comments or ideas?

thanks in advance,
George

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

情仇皆在手 2024-07-21 15:10:17

你的第二步不正确,至少在语义上是这样。 如果您生成由 CA 签名的证书,那么它根本不是自签名的,而是由 CA 签名的。

因此,在机器 C 上,您只需将生成的 CA 证书放入受信任的 CA 存储中即可。 通过这样做,您表示您信任它签署的任何内容,在您的情况下是证书 B。

但是您说您正在使用它进行通信 - 请注意,如果您使用像 WCF 这样的东西来检查吊销,您将需要将其打开关闭,因为您生成的 CA 不支持此功能。

You have step 2 incorrect, semantically at least. If you are generating a certificate signed by a CA then it is not self signed at all, it's signed by the CA.

So on machine C you only need to put your generated CA certificate in the trusted CA store. By doing this you are saying you trust anything it has signed, in your case certificate B.

However you say you're using this for communication - be aware that if you use something like WCF which will check for revocation you will need to turn this off as your generated CA won't support this.

悲念泪 2024-07-21 15:10:17

计算机 C 必须信任根 CA(在计算机 A 上)。 然后,由同一根 CA 颁发的另一台计算机(例如计算机 D)提供的任何证书都将自动受到信任。

例如,在 Windows 中,您(默认情况下)已经拥有并信任 Verisign 的根 CA 证书。 当您导航到使用 Verisign 证书的 HTTPS 站点时,您将自动信任它 - 因为您信任 Verisign,并且 Verisign 向该 HTTPS 站点颁发了证书。

IOW - 您只需要信任 CA 并安装它的证书。

Computer C must trust the root CA (on Computer A). Then, any certificates presented from another computer (say, Computer D) issued by the same root CA will be automatically trusted.

For instance, in Windows, you (by default) already have and trust the root CA certificate for Verisign. When you navigate to an HTTPS site that uses a Verisign certificate, you will automatically trust it - since you trust Verisign, and Verisign issued the cert to the HTTPS site.

IOW - you only need to trust the CA and install it's cert.

悲歌长辞 2024-07-21 15:10:17

计算机 A 实际上并未成为“根 CA”。 您需要创建根证书,然后将其安装在目标计算机上。

这并不像在目标计算机上安装根证书那么简单,因为不同的应用程序可能使用不同的证书存储。 例如,您需要在 Firefox 和 Explorer 中安装根证书。

然后,您可以创建“子”证书(由根证书签名),并且目标系统将接受子证书有效,因为它已由受信任的根证书签名。

证书只是验证某人公钥的一种方式。 该证书包含您的纯文本公钥以及由签名者的私钥加密的公钥。 要验证证书中发布的公钥,您可以使用签名者的公钥解密公钥的加密版本,并检查它是否与公钥的纯文本版本相同。

在自签名证书中,您可以使用私钥对公钥进行加密。 因此,自签名证书也是根证书,因为链中没有更高的签名权限。

中间证书还可以用于签署其他证书。 通过这种方式,证书可用于构建回到某些(至少理论上)受信任的根证书的“信任链”。

Bruce Schneier 在他的《应用密码学》一书中对此有合理的描述。 Peter Gutman 在这个链接上对证书有更丰富多彩的描述:

http ://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf

Computer A doesn't actually become a "root CA". You need to create a root certificate, and then install it on the target computer.

It's not quite as simple as installing the root certificate on the target computer as different applications may use different certificate stores. For example, you need to install root certificates into both Firefox and Explorer.

You can then create "child" certificates - signed by the root certificate - and the target system will accept the child certificate as valid, because it has been signed by the trusted root certificate.

A certificate is just a way of validating someone's public key. The certificate contains both your public key in plain text, and your public key encrypted by the private key of the signer. To validate the public key published in the certificate, you decrypt the encrypted version of the public key - using the public key of the signer - and check that it's the same as the plain text version of the public key.

In a self-signed certificate, you encrypt your public key with your private key. So a self signed certificate is also a root certificate because there is no higher signing authority in the chain.

Intermediate certificates can also be used to sign other certificates. In this way certificates can be used to build a "chain of trust" back to some (at least theoretically) trusted root certificate.

Bruce Schneier has a reasonable description of this in his book "Applied Cryptography". And Peter Gutman has a more colourful description of certificates at this linky:

http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文