是否可以从 pgp 公钥/私钥创建 ssl 证书?

发布于 2024-09-30 03:11:27 字数 1459 浏览 6 评论 0原文

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

ゝ偶尔ゞ 2024-10-07 03:11:27

如果 X.509 格式也支持 PGP 密钥中的密钥格式,则这是可能的。 RSA 就是其中之一。

这是一个 Java 实现,使用 BouncyCastle(在加载之前,您需要先加载 BouncyCastle 安全提供程序)。

请注意,大多数人所说的 PGP 公钥实际上是 PGP 证书。公钥本身是包含在这些证书中的 RSA 密钥(或其他格式)。因此,可以获取密钥材料并将其用于其他材料。
但是,这样做会丢失使 PGP 证书成为证书的信息:密钥与身份的绑定以及其他人添加的签名(遵循 PGP 模型)。

您可能可以将 PGP 证书的额外信息放入 X.509 证书中您自己的扩展中。

这样做是否有意义可能取决于您想要实现的目标。重复使用相同的密钥材料或多或少意味着“您”(PGP 证书背后的 ID)和您的网络服务器变得相同,因为如果一个私钥被泄露,另一个私钥也会被泄露(例如 Apache Httpd,要求私钥在存储在服务器上时不受密码保护,尽管它通常只能由 root 用户访问)。
此外,这可能不会对要访问该网站的访问者有太大帮助,除非他们想在“未知证书”警告框中进行挖掘以检查公钥与您的公钥是否匹配(他们可能知道)。

If the key format in your PGP key is supported in the X.509 format too, it's possible. RSA is one of them.

Here is a Java implementation that turns a PGP certificate into a self-signed X.509 certificate, using BouncyCastle (You'll need to load the BouncyCastle security provider before loading it).

Note that what most people call a PGP public key is in fact a PGP certificate. The public key itself is the RSA key (or other format) which is contained within those certificates. Hence it's possible to take the key material and use it in the other.
However, by doing so, you lose the information that makes the PGP certificate a certificate: the binding of the key to an identity and the signatures added by others (following the PGP model).

You could potentially put the extra information of the PGP certificate into your own extension in the X.509 certificate perhaps.

Whether it makes sense to do so probably depends on what you want to achieve. Re-using the same key material more or less implies that "you" (ID behind the PGP certificate) and your webserver become one and the same, since if one private key is compromised, so is the other (Apache Httpd, for example, requires the private key not to be password-protected when they're stored on the server, although it would often only be accessible by the root user).
In addition, this probably won't help much your visitors who're going to visit the website, unless they want to dig within the "unknown certificate" warning box to check the public key matches yours (which they may know).

煮茶煮酒煮时光 2024-10-07 03:11:27

查看 MonkeySphere 项目:
http://web.monkeysphere.info/

有关如何生成 SSL 证书的说明:
http://web.monkeysphere.info/doc/host-keys/

和它有 Firefox 扩展,因此您的朋友可以通过您的 PGP 密钥进行验证。

Checkout the MonkeySphere project:
http://web.monkeysphere.info/

Instructions for how to generate your SSL cert:
http://web.monkeysphere.info/doc/host-keys/

and it has a firefox extension, so your friends can verify it through your PGP key.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文