受信任的根CA是否应该成为证书链的一部分? [英] Should the trusted Root CA be a part of the certificate chain?
问题描述
我正在不同主机上的服务之间建立2向SSL通信.假设我有一个自己的CA,称为A.我的所有服务都通过集中式jks信任A.现在假设我有一个由A签名的证书B.当服务发送证书时,它们应该发送整个链B-A还是仅发送B?我相信两者都倾向于大多数实现.
I'm setting up 2-way SSL communication between services on different hosts. Let's say I have my own CA called A. A is trusted by all of my services through a centralized jks. Now let's say I have certificate B signed by A. When services send the certificate should they be sending the entire chain B - A, or just B? I believe both tend to work with most implementations.
我试图在线查找有关此信息的规范信息,但我什么也没想.
I tried to find canonical information about this online, but I'm coming up with nothing.
感谢您的帮助
推荐答案
根据
服务器应发送要使用的确切链;服务器
明确允许省略根CA,仅此而已.
the server should send the exact chain that is to be used; the server
is explicitly allowed to omit the root CA, but that's all. 参考( RFC 5246-TLS v1.2,秒7.4.2 .-服务器证书): certificate_list certificate_list 这是证书的序列(链).发件人的
证书必须在列表中排在第一位.以下各证书
必须直接证明其前一个.因为证书
验证要求根密钥是独立分发的,
指定根证书的自签名证书
在以下前提下,可以从链中省略授权:
远端必须已经拥有它才能验证它
任何情况下. This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following certificate
MUST directly certify the one preceding it. Because certificate
validation requires that root keys be distributed independently, the
self-signed certificate that specifies the root certificate
authority MAY be omitted from the chain, under the assumption that
the remote end must already possess it in order to validate it in
any case. 这篇关于受信任的根CA是否应该成为证书链的一部分?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
