如何链接 SSL 证书
有没有什么方法可以将我们自己生成的密钥对与已链接到根 CA(例如:verisign)的现有证书链接起来?基本上我的问题如下图所示
Verisign Root CA
|
--> Company XYZ certificate
|
---> Server foo certificate
一旦我为服务器 foo 生成了密钥对,如何将其与公司 XYZ 证书链接起来?
Is there any way we can chain our own generated key pair with an existing certificate which has been chained to a root CA (eg: verisign)? Basically my question is described in diagram below
Verisign Root CA
|
--> Company XYZ certificate
|
---> Server foo certificate
Once i've generated key pair for server foo, how do I chain it with Company XYZ cert?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果 XYZ 公司拥有中级证书颁发机构证书,那么您就可以。此类证书由根 CA 授权颁发新证书,这一事实在创建时由特定属性(基本约束、密钥用法、增强密钥用法)确定。
但如果 XYZ 公司拥有常规证书,例如用于识别网站、电子邮件用户或软件开发人员,则这是不可能的。即使在实践中没有什么可以阻止您创建一个新证书并用另一个证书对其进行签名(如果您有它的私钥),我认为您不会获得有效的证书。
因此,如果您拥有正确类型的证书,则必须用它来签署 foo。您可以使用 makecert 或 打开 ssl 用于创建新的X509 证书。例如:
makecert -pe -n "CN=foo" -a sha1 -sky Exchange -eku 1.3.6.1.5.5.7.3.1 -in "Company XYZ" -is my -ir LocalMachine -sp "Microsoft RSA SChannel 加密提供程序" -sy 12 -ss my -sr LocalMachine
您需要将公司 XYZ 的证书安装在 Windows 证书存储的本地计算机/个人位置。生成的证书将添加到同一位置,您将能够以各种格式(.pfx、.cer、.p7b)从那里导出它。这还会为新证书创建密钥对。
If Company XYZ has an Intermediate Certificate Authority certificate then you can. This kind of certificates are authorized by the root CA to issue new certificates and this fact is determined at creation time by specific properties (Basic Constraints, Key Usage, Enhanced Key Usage).
But if Company XYZ has a regular certificate, used for example to identify websites, email users or software developers, it is not possible. Even thought in practice nothing stops you from creating a new certificate and signing it with another one (if you have it's private key), I don't think that you will obtain a valid certificate.
So, if you have the right kind of certificate, you will have to sign foo with it. You can use makecert or open ssl for creating a new X509 Certificate. For example:
makecert -pe -n "CN=foo" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Company XYZ" -is my -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -ss my -sr LocalMachine
You will need to have the certificate for the Company XYZ installed in the Local Computer/Personal location in Windows Certificate Store. The resulting certificate will be added in the same place and you will be able to export it from there in various formats (.pfx, .cer, .p7b). Also this creates the keypair for the new certificate.
如果您拥有两个证书,请尝试连接证书文件。如果没有,请修改您的问题,以便我们了解您在此过程中的进度。
如果您在 Apache 服务器上进行设置,请查看 mod_ssl 的 SSLCertificateChainFile< /a> 指令。
If you have both certificates, try concatenating the certificate files. If not, please revise your question so we know where you are in the process.
If you're setting it up on an Apache server, look at mod_ssl's SSLCertificateChainFile directive.