从普遍信任的证书创建我自己的中间认证机构 [英] Create my own intermediate cetification authority from commonly trusted certificate

问题描述

我有一个简单的问题(可能是愚蠢的)，但没有找到明确的答案.如果我从我的服务器之一(例如Web)的受信任的签名公司(例如verisign ...)获得证书，则我将拥有一个私钥.有了此证书，我可以设置自己的中间CA并签署证书请求，并且得到每个人的信任吗(我知道不应该这样.)?我真正的问题是:什么会阻止我颁发证书，以及公司如何保证没有人这样做?

I have a simple question (maybe stupid) and i didn't find any clear answer to it. If i get a certificate from a trusted signing company (like verisign...) for one of my server (web for instance), i'll have private an public keys. With this certificate can i set up my own intermediate CA and sign cert request and the be trusted by every one (i know that's shouldn't be..)? My real question is : what will prevent me for issuing certificate and how the company can garanty that nobody does ??

提前谢谢！

推荐答案

为您的网站颁发的证书适用于SSL/TLS，而不适合颁发其他证书(密钥用法"字段不同).因此，从技术上讲，您可以将自己的证书用作CA来生成另一个证书，但正确实施和配置的验证器(检查密钥使用情况的验证器)将不信任此类生成的证书.

The certificate issued for your web site is suitable for SSL/TLS and is not suitable for issuing other certificates (Key Usage field is different). Consequently while you technically can generate another certificate using yours as a CA, such generated certificate won't be trusted by properly implemented and configured validators (those that check Key Usage).

这篇关于从普遍信任的证书创建我自己的中间认证机构的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！