“通用名称"中允许使用哪些字符串?X.509 证书中的属性? [英] What strings are allowed in the "common name" attribute in an X.509 certificate?

问题描述

在 X509 证书的 DN 的通用名称字段中，如 OID2.5.4.3"的 ASN.1 表示法中所定义，允许的值是什么?

In the common name field of the DN of a X509 certificate, as defined in ASN.1 notation for OID "2.5.4.3", what are the allowed values?

我知道限制最多为 64 个字符，但是否允许所有字符?数字?
例如.允许 . 吗?根据 ASN 定义，IP 地址 (x.x.x.x) 是有效序列吗?
是否允许使用域名?

I know that the limit is up to 64 characters, but are all characters allowed? Digits?
E.g. are .s allowed? Is an IP address (x.x.x.x) a valid sequence per the ASN definition?
Is a domain name allowed?

推荐答案

专有名称中的通用名称属性编码为:

The common name attribute in a Distinguished Name is encoded as:

X520CommonName ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-common-name)),
      printableString   PrintableString (SIZE (1..ub-common-name)),
      universalString   UniversalString (SIZE (1..ub-common-name)),
      utf8String        UTF8String      (SIZE (1..ub-common-name)),
      bmpString         BMPString       (SIZE (1..ub-common-name)) }

其中 ub-common-name 是 64.最后三种编码允许使用所有 Unicode 代码点(对于超过 0xFFFF 的代码点使用 UTF-16 和 bmpString)；UTF-8 是首选编码(至少标准是这么说的).

where ub-common-name is 64. The last three encodings allow the use of all Unicode code points (using UTF-16 for code points beyond 0xFFFF with bmpString); UTF-8 is the preferred encoding (at least the standards say so).

就 X.509 而言(参见 RFC 5280)，DN 的内容除了相等比较之外，元素是不相关的；这意味着您可以放置​​任何您想要的字符序列，只要您始终如一地这样做.RFC 5280 要求对 UTF-8 编码的名称元素进行不区分大小写的比较，这在 Unicode 的一般上下文中并不容易:请参阅第 7.1 节，其中链接到 RFC 4518 和 3454.此外，通用名称"经常向用户显示(至少在使用 X.509 证书的系统上有显示和物理用户)，因此您可能希望使用有意义或至少不太可怕的字符串对于人类，您可能会尽量避免使用非拉丁文字.

As far as X.509 is concerned (see RFC 5280), the contents of DN elements are irrelevant beyond equality comparisons; which means that you can put whatever sequence of characters you wish, as long as you do so consistently. RFC 5280 mandates case-insensitive comparisons for UTF-8 encoded name elements, and this is not easy in the general context of Unicode: see section 7.1, which links to RFC 4518 and 3454. Also, the "common name" is frequently displayed to the user (at least on systems using X.509 certificates which have a display and a physical user), so you probably want to use a string which is meaningful or at least not too scary for a human, and you may try to avoid non-latin scripts.

将 DNS 名称放在通用名称"属性中是 HTTPS 服务器证书的常见做法:请参阅 RFC 2818(服务器证书包含服务器名称，客户端与 URL 中的服务器名称匹配；通常，首选主题替代名称扩展名，但客户端更广泛地支持通用名称).

Putting a DNS name in the "common name" attribute is common practice for HTTPS server certificates: see RFC 2818 (the server certificates contains the server name, which the client matches against the server name in the URL; normally, the Subject Alt Name extension is preferred for that, but the common name is somewhat more widely supported by clients).

这篇关于“通用名称"中允许使用哪些字符串?X.509 证书中的属性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！