我可以使用根证书签署 ActiveX 控件吗?

发布于 2024-10-02 04:36:33 字数 398 浏览 6 评论 0原文

我有一个 ActiveX 控件,应该在第一次访问网页时安装。

我有使用 OpenSSL 创建的自签名证书及其子证书。问题是,如果我使用根证书签署 activeX 控件,Windows 在检查 activex 时无法验证它,即使它被安装为受信任的。

它写道,

“未遵守证书的基本扩展”

和“查看证书”中:

“证书无效,因为证书路径中的证书颁发机构之一似乎不允许颁发证书,或者此证书不能用作最终实体证书”。

如果我在根证书受信任时使用子证书进行签名,则 eberything 没问题。

我认为根证书只能签署与证书相关的内容,而不是文件等,但是想确定这一点。

I have an ActiveX control, which is supposed to be installed at the first visit of web-page.

I have self-signed certificate, created with OpenSSL, and its child. The problem is that if I sign an activeX control with root certificate, Windows can't validate it while checking activex, even if it is installed as trusted.

It writes, that

"A certificate's basic extension has not been observed"

and in "view certificate":

"The certificate is not valid because one of certification authorities in the certification path does not appear to be allowed to issue certificates or this certificate cannot be used as an end-entity certificate".

If I use child certificate for signing while root certificate is in trusted, eberything is fine.

I suppose that root certificate can only sign only certificate-related stuff, not files etc, however want to be sure about this.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

清浅ˋ旧时光 2024-10-09 04:36:33

我认为该错误消息试图告诉您的是,您为密钥生成的证书不包含正确的证书扩展。代码签名需要为代码签名生成的证书。其他类型的证书(例如为签名数据而生成的证书)受到 CA 的审查较少,因此提供代码签名所需的较低级别的安全性。

您自己的自签名根证书应设置为密钥签名,子证书应设置为代码签名。那么,只要您的根证书位于浏览器的受信任密钥存储中,您的 ActiveX 签名就应该没问题。一般来说,密钥签名证书应设置为密钥签名,代码签名证书应设置为代码签名,因此您不能将这些密钥用于任何其他目的。

该解决方案在组织内是可行的,您可以提前在每个用户的 PC 上安装根密钥。如果您想在公共互联网上的网页上使用 ActiveX 控件,您必须说服用户信任您的证书(即使他们可能没有充分的理由这样做),或者您必须购买代码签名证书来自其根证书已为常见浏览器所知的商业 CA 之一。

最后,我真的建议不要将 ActiveX 控件用于任何,因为它们只能在 Windows 上运行,而且只有在受信任的情况下才能运行。大多数有理智的人都会将浏览器的安全设置设置为拒绝它们。使用不同的技术(例如 Javascript)制作活动内容会更加成功

I think that what that error message is trying to tell you is that the certificate you have generated for your key does not contain the correct certificate extensions. Code-signing requires a certificate that has been generated for code-signing. Other types of certificate -- e.g. those that are generated for signing data -- are subject to less scrutiny by the CA, and so offer a lower level of security that is required for code-signing.

Your own self-signed root certificate should be set up for key-signing, and the child certificate should be set up for code signing. Then your ActiveX signature should be OK, so long as your root certificate is in the browser's trusted key store. Generally a key-signing certificate should be set up only for key-signing and a code-signing certificate should be set op only for code-signing, so you can't use these keys for any other purpose.

That solution is OK within an organization, where you can install your root key on every user's PC in advance. If you want to use your ActiveX control on a webpage on the public internet you will either have to persuade users to trust your certificate (even though they may have no good reason to do so) or you will have to buy a code-signing certificate from one of the commercial CAs whose root certificates are already known to the common browsers.

Finally, I'd really advise against using ActiveX controls for anything as they'll only be able to run on Windows, and then only if they're trusted. Most people who have any sense will have their browser's security set up to reject them. You'll have much more success producing your active content with a different technology (e.g. Javascript)

悲欢浪云 2024-10-09 04:36:33

使用自签名证书对二进制文件进行数字签名几乎违背了使用数字证书的概念与程序。基本思想是证明代码是由您创建的(真实性)并且自您发布以来没有被修改过(完整性)。这必须通过使用由受信任的证书颁发机构 (CA) 签署的签名证书来完成。

我已经在以下问题上更详细地回答了这个问题。

使用signtool创建密钥并签名可执行文件

Using self-signed certificates for digitally signing your binaries pretty much goes against the concept of using digital certificates with programs. The basic idea is to prove the code was created by you (authenticity) and has not been modified since you released it (integrity). This must be done by using a signed certificate that is signed by a trusted Certificate Authority (CA).

I've answered this in a little more detail on the following question.

creating a key and signing executable with signtool

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文