我需要什么 SSL 证书? [英] What SSL certificate do I need?

问题描述

我正在开发软件，该软件将使用 clickonce(在网站 foo.com 上)进行部署，然后将使用 WCF 和加密传输连接到我的服务器

I'm developing software which will be deployed using clickonce (on the website foo.com), and which will then connect to my server using WCF with an encrypted transport

所以我需要一个 SSL 证书，它将:

So I need an SSL certificate which will :

• 确定我的 foo.com 网站确实是我的网站
• 将我使用 clickonce 部署的 exe 识别为正版
• 确定我的应用服务器确实是我的应用服务器.

我还希望我的 SSL 证书由公众已知的授权机构签署(即，firefox 或 windows 不会要求用户先安装授权机构的证书！)

I also want my SSL certificate to be signed by an authority known to the public (ie, firefox or windows won't ask the user to install the authority's certificate first !)

您会购买什么 SSL 证书?

What SSL certificate would you buy?

我浏览了 Verisign 网站，Secure Site EV"证书的费用为每年 1150 欧元(Pro"版本似乎仅用于兼容旧浏览器)

I've browsed the Verisign website, the "Secure Site EV" certificate costs 1150€ a year (the "Pro" version seems useful only for compatibility with older browsers)

推荐答案

听起来您正在寻找两种不同类型的证书:

It sounds like you're looking for two different types of certificates:

1 - SSL 证书 - 用于验证您的网站/应用程序服务器.

1 - SSL Certificate - for authentication of your website/application server.

2 - 代码签名证书 - 用于您交付的 exe 的完整性/身份验证.

2 - Code Signing Certificate - for integrity/authentication of the exe you deliver.

通常是两个不同的证书，具有两个不同的证书配置文件.至少，您需要一个具有两种不同密钥用法或扩展密钥用法的证书.

Typically those are two different certificates, with two different certificate profiles. At the very least, you need one certificate with two different key usages or extended key usages.

一些没有特定顺序的想法:

A few thoughts in no specific order:

• 检查您的目标浏览器，每个浏览器都应该有一组预配置的根证书 - 这些是最广泛认可的公共证书来源.我可能会同时检查 Firefox 和 IE.我所熟知的知名证书供应商有 - Versign、GeoTrust、RSA、Thawte、Entrust.但也有 GoDaddy 和许多其他人.提供的浏览器中作为受信任的根证书提供的任何内容都将允许您连接到您的用户，而无需额外的 greif.

• Check your targeted browsers, they should each have a set of preconfigured root certificates - those are the most widely recognized public certificate sources. I'd probably check both Firefox and IE. Certificate vendors known to me as big names are - Versign, GeoTrust, RSA, Thawte, Entrust. But there's also GoDaddy and many others. Anything that comes in the delivered browser as a Trusted Root Certificate, will allow you to connect to your users without additional greif.

我建议谷歌搜索代码签名证书"和SSL 证书".

I suggest Googling for both "code signing certificate" and "SSL certificate".

您配置站点的方式将决定您的网站是否经过验证或您的身份验证服务器是否经过验证.如果证书存储在应用程序服务器上，那么您的用户将一直获得到服务器的 SSL 加密.但是许多站点将 SSL 证书放得更远一些 - 就像在防火墙上一样，然后在其后面放置一系列应用程序服务器.只要网络经过仔细配置，我就看不到安全漏洞.对于外部用户来说，这两种配置看起来都一样——他们会锁定浏览器，并获得一个证书，告诉他们 www.foo.com 正在提供其凭据.

How you configure your site will determine whether or not your website is validated or your authentication server is validated. If the certificate is stored on the apps server, then your user is getting SSL encryption all the way to the server. But many sites put the SSL certificate a little farther forward - like on a firewall, and then stage a collection of apps servers behind it. I don't see a security flaw in that, so long as the networking is carefully configured. To the outside users, both configurations will look the same - they'll get the lock on their browsers and a certificate that tells them that www.foo.com is offering it's credentials.

我看到 SSL 证书有很多优惠:- GoDaddy - 12.99 美元- Register.com - $14.99

I'm seeing pretty great deals for SSL Certificates: - GoDaddy - $12.99 - Register.com - $14.99

但它们不一定是代码签名证书.例如，虽然 GoDaddy 的 SSL 证书是 12.99 美元，但他们的 代码签名证书 是 199.99 美元！这是许多证书供应商商业模式的一部分——用廉价的 SSL 证书引诱你，让你为代码签名付费.可以认为代码签名证书的责任相对较高.但也......他们必须以某种方式补贴廉价的 SSL 证书.

But they aren't necessarily code signing certifiates. For example, while GoDaddy's SSL Cert is $12.99, their code signing certs are $199.99! That's part of many certificate vendors business models - lure you in with cheap SSL Certs, and make you pay for code signing. A case could be made that code signing certificates are relatively higher liability. But also... they have to subsidize the cheap SSL certs somehow.

从理论上讲，应该可以制作一个同时进行代码签名和 SSL 的证书，但我不确定您是否想要那样.如果发生某些事情，能够隔离这两个功能会很好.此外，我很确定您必须致电证书供应商并询问他们是否这样做，如果他们不这样做，让他们这样做可能会使价格上涨相当高.

Theoretically, it should be possible to make a certificate that does both code signing and SSL, but I'm not sure you want that. If something should happen, it would be nice to be able to isolate the two functions. Also, I'm pretty sure you'd have to call the certificate vendors and ask if they did this, and if they don't, having them do it will likely jack up the price quite high.

就供应商而言，需要考虑的事项:

As far as vendor, things to consider:

• 技术几乎完全相同.这些天，目标是至少 128 位密钥，我可能会增加到 256，但我很偏执.
• 除了浏览器的可接受性之外，支付更多费用的唯一原因是知名度.在偏执的安全专家中，我希望 RSA、Thawte、Verisign 和 GeoTrust 享有很高的声誉.也可能是EnTrust.这可能仅在您处理以安全为重点的产品时才重要.我认为您的普通用户不会这么清楚.
• 从安全极客的角度来看 - 您的安全性取决于根 CA(证书颁发机构)的安全性.对于真正的偏执狂，要做的事情是深入研究公司如何托管其根和发行 CA 的背景材料，它们是如何进行物理保护的?网络安全?人员访问控制?另外 - 他们是否有公共 CRL(证书撤销列表)，您如何撤销证书?他们是否提供 OCSP(在线证书状态协议)?他们如何检查证书申请者以确保他们将正确的证书提供给正确的人?... 如果您提供的东西必须高度安全，那么所有这些东西都非常重要.医疗记录、财务管理应用程序、税务信息等应受到高度保护.大多数网络应用都没有那么高的风险，可能不需要这种程度的审查.

关于最后一点——如果你深入了解世界上的 Verisigns——非常昂贵的证书——你很可能会看到它的价值.他们拥有庞大的基础设施，并且非常重视 CA 的安全性.我不太确定超级便宜的托管服务.也就是说，如果您的风险较低，那么 300 美元的 SSL 证书与 12.99 美元相比没有多大意义！

On that last bullet - if you dig into the Verisigns of the world - the very expensive certs - you're likely to see the value. They have a massive infrastructure and take the security of their CAs very seriously. I'm not so sure about the super-cheap hosting services. That said, if your risk is low, US$300 for an SSL Cert doesn't make much sense compared to US$12.99!!

这篇关于我需要什么 SSL 证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！