openssl,颁发者证书链
我的情况: 我正在开发一个使用 openssl 和 rsa 证书与其他方进行安全通信的应用程序。 所以我们需要交换证书。 到目前为止,一切都很好。 大多数合作伙伴证书是来自 CA 签名的证书(不是根证书或自签名证书)。 在我的笔记本电脑(debian)上,我从发行版中获得了安装在我的 openssl 基础设施中的最常见的 rootCA 证书。所以我可以验证最多的合作伙伴证书,因为我有颁发者根证书。
我的问题: 在我的主机上,我没有预安装 root-certis。所以我需要检查发行人的合作伙伴证书,从互联网上获取它,将其放入 openssl 等中我信任的证书目录中......
我的问题: 这是正常的方法吗???它有点广泛,如果它是一条较长的链条,也有点棘手。
感谢您的帮助!
问候,克里斯
my situation:
I am working on a application that is using openssl and rsa-certificates for secure communication with other parties.
so we need to exchange certificates.
so far so good.
mostly the partners certificate is a from a CA signed certificate (not a root certi or a selfsigend certi).
on my notebook (debian) I have from the distribution the most common rootCA-certificates installed in my openssl infrastrucutre. so I can verify the most partner-certificates because I have the issuer-root-certis.
my problem:
on my master-maschine I do not have pre-installed root-certis. so I need to check the partners-certi for the issuer, get this from the internet, put it into my trusted certi dir in openssl etc......
my question:
is this the normal way to do this???? Its a bit extensive and also a bit tricky if it is a longer chain.
thanks for help!
regards,chris
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
预安装根证书的目的是因为它们充当信任链的顶部(实际上它更像是一棵树,或树木的森林......)。
通过预安装它们,我们假设(尽管我们都知道人们所说的假设)它们没有受到损害并且可以用于验证任何其他证书。虽然可以通过侵入 FTP 服务器和弄乱 Linux 发行版的 DVD 映像等方式来危害它们,但这并不容易,而且不会长时间不被发现,也不能针对特定组织。
对于您的情况,您应该执行以下操作之一:
使用系统供应商提供的软件包在系统中安装根证书。为了获得相对较高的置信度,您应该从两个不同的位置下载相同的软件包,最好是通过不同的 ISP(例如从家里和工作场所)以及从两个或三个不同的镜像下载。然后您可以比较下载的文件,它们应该是相同的。如果您的系统供应商在线提供了其软件包文件的校验和,您也应该验证这些文件。
通过 USB 驱动器从受信任的系统获取根证书并将其传输到您的系统。您应该事先检查受信任系统的安全性。使用官方安装磁盘上的原始 Linux 安装将是一个很好的来源。
安全地安装至少一个根证书(例如通过USB驱动器方法),然后
尝试查找您的合作伙伴的颁发者证书。对于每个颁发者证书,您应该手动验证并安装信任链上的任何其他证书,直到到达预安装的根证书。这可能是一个非常繁琐的过程,您会感到沮丧,因为大多数 CA 出于各种原因使用多个证书,从减少潜在妥协的影响到营销和业务原因。
切勿将从 Internet 下载的证书安装为受信任的 CA,除非您可以验证预安装证书的有效性。
因此,作为您问题的答案:除非您有大量的时间和耐心,并且愿意比大多数人想要了解更多有关 PKI 的知识,否则只需找到一种在系统上安装正确的根证书的方法即可。
编辑:
我忘了提及一些操作系统供应商(例如 SuSE)在其包管理系统中预安装了自己的证书。在这种情况下,使用该包管理系统从官方存储库下载包应该足够安全,您无需费心执行上述任何操作即可确保根证书包的有效性。
The purpose of having the root certificates preinstalled is because they serve as the top of the chain of trust (actually it's more of a tree, or forest of trees...).
By having them preinstalled we assume (although we all know what people say about assuming) that they are not compromised and can be used to verify any other certificate. While it could be possible to compromise them by e.g. hacking into an FTP server and messing with the DVD images of a Linux distribution, it's not very easy and it's not going to stay undetected for long, nor can it target a specific organization.
In your case, you should do one of the following:
Install the root certificates in your system using a package from your system vendor. For a relatively high level of confidence, you should download the same package from two different locations, preferrably via different ISPs (e.g. from home and from work) and from two or three different mirrors. Then you can compare the downloaded files, which should be identical. If your system vendor provides checksums for their package files online you should verify those as well.
Take the root certificates from a trusted system via a USB drive and transfer them to your system. You should examine the security of the trusted system beforehand. Using a pristine Linux install from an official installation disk would be a good source.
Install at least one root certificate securely (e.g. via the USB drive method), then
try to track down the issuer certificates for your partners. For each issuer certificate you should manually verify and install any other certificates up the chain of trust till you reach a preinstalled root certificate. This can be a very tedious procedure and you WILL get frustrated, since most CAs use multiple certificates for various reasons, from reducing the impact of a potential compromise to marketing and business reasons.
You should NEVER install a certificate downloaded from the Internet as a trusted CA, unless you can verify its validity up to a preinstalled certificate.
So as an answer to your question: Unless you have a lot of time and patience, along with a will to learn a lot more about PKIs than most people would want, just find a way to install the proper root certificate on your system.
EDIT:
I forgot to mention that some OS vendors (e.g. SuSE) have their own certificates preinstalled in their package management system. In that case downloading packages from the official repositories using that package management system should be secure enough that you don't need to bother with any of the above to ensure the validity of the root certificate package.