PKI-认证机构
就编程语言、数据库、openssl等而言,实施CA的最佳技术是什么
What are the best technology for the implementation of CA with respect to programming language ,database ,openssl etc
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这个问题相当广泛。我发现 PKI 的管理部分比技术部分更复杂。
设置基本 CA 时不需要做太多事情:保持私钥安全(一如既往)、接收证书请求、以某种方式验证请求者的身份、颁发证书并将其存储在某个地方(您可以在顶部实现撤销机制)的这个)。我稍微简化了图片,但这大致是整个过程,您可以使用现有库以多种语言实现它,没有太大困难。在 Java 中使用 BouncyCastle 是可行的,但我确信其他工具也可以,例如 OpenSSL 与 Perl。并非所有语言都会公开整个 OpenSSL API(如果它们在幕后使用它),并且拥有一个可以读取和写入 ASN.1 结构的库会很方便(特别是如果您想要特定扩展)。对于存储,将其与目录结构(例如,某些基于 LDAP 的系统)结合起来可能会很有用,但这可能取决于您在用户管理系统方面已有的内容。
另一方面要考虑用户请求证书的简单性。对于必须请求/使用证书但没有时间了解其全部内容的用户来说,这可能会很痛苦。浏览器内密钥生成可以很方便,而不是让它们生成 CSR(或多或少手动)。对于浏览器内生成,它是使用
另一件需要考虑的事情是您在申请时验证用户身份的系统。如果它相对较小,则没什么可做的,但如果它是一个更广泛的结构,您可能需要当地代表和各种服务,使他们能够将这些断言传达给将要颁发证书的人。
您在这里需要的大部分内容取决于您所需的保证级别。
您可能对 OpenCA 感兴趣。
The question is quite broad. I find the administrative part is more complex than the technological part when it comes to PKIs.
There's not so much to do when setting up a basic CA: keep the private key safe (as always), receive certificate requests, verify the identity of the requester somehow, issue the certificate and store it somewhere (you can implement revocation mechanisms on top of this). I'm simplifying the picture slightly, but that's roughly the whole process, and you can implement that in a number of languages with existing libraries without much difficulty. Using BouncyCastle in Java works, but I'm sure other tools work too, for example OpenSSL with Perl. Not all languages expose the whole OpenSSL API (if they use it under the hood), and it can be handy to have a library that can read and write ASN.1 structures (especially if you want specific extensions). For storage, it may be useful to combine this with a directory structure (for example, some LDAP based system), but this may depend on what you already have in terms of user-management system.
The other aspect to take into account how simple it has to be for the users to request a certificate. This can be painful for users who have to request/use a certificate but don't have time to learn what it's all about. In-browser key-generation can be handy, instead of making them generate a CSR (more or less by hand). For in-browser generation, it's a combination of using
<keygen>(the form element introduced by Netscape for this - works on Firefox and Opera for example), ActiveX (for MSIE) or the Mozilla Javascript extensions. Instead of ActiveX, you could also have a standalone "wizard" that's a full application (it will have more permissions to do some certificate related operations, as otherwise, what's available through JScript/ActiveX from within MSIE is limited and depends on various security settings.)The other thing to take into account is the system whereby you verify the user's identity upon application. If it's relatively small, there's not much to do, but if it's a wider structure, you may need local representatives and various services that allow them to communicate those assertions by to the people who're going to issue the certificates.
Most of what you need here will depend on the level of assurances you require.
You might be interested in OpenCA.