“通用名称"中允许使用哪些字符串?X.509 证书中的属性? [英] What strings are allowed in the "common name" attribute in an X.509 certificate?
问题描述
在 X509 证书的 DN 的通用名称字段中,如 OID2.5.4.3"的 ASN.1 表示法中所定义,允许的值是什么?
In the common name field of the DN of a X509 certificate, as defined in ASN.1 notation for OID "2.5.4.3", what are the allowed values?
我知道限制最多为 64 个字符,但是否允许所有字符?数字?
例如.允许 .
吗?根据 ASN 定义,IP 地址 (x.x.x.x) 是有效序列吗?
是否允许使用域名?
I know that the limit is up to 64 characters, but are all characters allowed? Digits?
E.g. are .
s allowed? Is an IP address (x.x.x.x) a valid sequence per the ASN definition?
Is a domain name allowed?
推荐答案
专有名称中的通用名称属性编码为:
The common name attribute in a Distinguished Name is encoded as:
X520CommonName ::= CHOICE {
teletexString TeletexString (SIZE (1..ub-common-name)),
printableString PrintableString (SIZE (1..ub-common-name)),
universalString UniversalString (SIZE (1..ub-common-name)),
utf8String UTF8String (SIZE (1..ub-common-name)),
bmpString BMPString (SIZE (1..ub-common-name)) }
其中 ub-common-name
是 64.最后三种编码允许使用所有 Unicode 代码点(对于超过 0xFFFF 的代码点使用 UTF-16 和 bmpString
);UTF-8 是首选编码(至少标准是这么说的).
where ub-common-name
is 64. The last three encodings allow the use of all Unicode code points (using UTF-16 for code points beyond 0xFFFF with bmpString
); UTF-8 is the preferred encoding (at least the standards say so).
就 X.509 而言(参见 RFC 5280),DN 的内容除了相等比较之外,元素是不相关的;这意味着您可以放置任何您想要的字符序列,只要您始终如一地这样做.RFC 5280 要求对 UTF-8 编码的名称元素进行不区分大小写的比较,这在 Unicode 的一般上下文中并不容易:请参阅第 7.1 节,其中链接到 RFC 4518 和 3454.此外,通用名称"经常向用户显示(至少在使用 X.509 证书的系统上有显示和物理用户),因此您可能希望使用有意义或至少不太可怕的字符串对于人类,您可能会尽量避免使用非拉丁文字.
As far as X.509 is concerned (see RFC 5280), the contents of DN elements are irrelevant beyond equality comparisons; which means that you can put whatever sequence of characters you wish, as long as you do so consistently. RFC 5280 mandates case-insensitive comparisons for UTF-8 encoded name elements, and this is not easy in the general context of Unicode: see section 7.1, which links to RFC 4518 and 3454. Also, the "common name" is frequently displayed to the user (at least on systems using X.509 certificates which have a display and a physical user), so you probably want to use a string which is meaningful or at least not too scary for a human, and you may try to avoid non-latin scripts.
将 DNS 名称放在通用名称"属性中是 HTTPS 服务器证书的常见做法:请参阅 RFC 2818(服务器证书包含服务器名称,客户端与 URL 中的服务器名称匹配;通常,首选主题替代名称扩展名,但客户端更广泛地支持通用名称).
Putting a DNS name in the "common name" attribute is common practice for HTTPS server certificates: see RFC 2818 (the server certificates contains the server name, which the client matches against the server name in the URL; normally, the Subject Alt Name extension is preferred for that, but the common name is somewhat more widely supported by clients).
这篇关于“通用名称"中允许使用哪些字符串?X.509 证书中的属性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!