证书基本约束的路径长度 [英] Certificates Basic Constraint's Path Length

问题描述

对于CA类型的基本约束，路径长度为0和无相同的东西吗？为了说明，路径长度为0意味着CA可以不发出证书，而路径长度为none意味着它可以发出无限量的证书？

Is having a Path Length of 0 and None the same thing for Basic Constraint's of a CA type? To clarify, does a path length of 0 mean that the CA can issue no certificates while a path length of none mean that it can issue an infinite amount of certificates?

推荐答案

取自 RFC 5280 ，第4.2.1.9节：

Taken from RFC 5280, section 4.2.1.9:

pathLenConstraint为零表示在有效的认证路径中不会出现非自颁发的中间CA证书。出现的位置，pathLenConstraint字段必须大于或等于零。其中pathLenConstraint没有出现，不强加任何限制。

A pathLenConstraint of zero indicates that no non-self-issued intermediate CA certificates may follow in a valid certification path. Where it appears, the pathLenConstraint field MUST be greater than or equal to zero. Where pathLenConstraint does not appear, no limit is imposed.

a pathLenConstraint of 0仍允许CA颁发证书，但这些证书必须是终端实体证书（BasicConstraints中的CA标志为false - 这些是正常颁发给人或组织的证书）。

I.e. a pathLenConstraintof 0 does still allow the CA to issue certificates, but these certificates must be end-entity-certificates (the CA flag in BasicConstraints is false - these are the "normal" certificates that are issued to people or organizations).

这也意味着使用此证书，CA不得颁发中间CA证书（CA标志再次为真 - 这些证书可能会发出更多证书，从而将 pathLen 增加1）。

It also implies that with this certificate, the CA must not issue intermediate CA certificates (where the CA flag is true again - these are certificates that could potentially issue further certificates, thereby increasing the pathLen by 1).

另一方面，缺少 pathLenConstraint 意味着考虑到从将导致我们的示例CA证书的终端实体证书。这意味着CA可以为子CA颁发中间证书，该子CA可以再次发出中间证书，该子CA可以再次...直到最后一个子CA将发布终端实体证书。

An absent pathLenConstraint on the other hand means that there is no limitation considering the length of certificate paths built from an end-entity certificate that would lead up to our example CA certificate. This implies that the CA could issue a intermediate certificate for a sub CA, this sub CA could again issue an intermediate certificate, this sub CA could again... until finally one sub CA would issue an end-entity certificate.

如果给定CA证书的 pathLenConstraint 大于0，那么它表示可能的中间CA证书的数量在从终端实体证书直到CA证书构建的路径中。假设CA X有一个 pathLenConstraint 为2，终端实体证书被发布到EE。然后，以下情况有效（我表示中间CA证书）

If the pathLenConstraintof a given CA certificate is > 0, then it expresses the number of possible intermediate CA certificates in a path built from an end-entity certificate up to the CA certificate. Let's say CA X has a pathLenConstraint of 2, the end-entity certificate is issued to EE. Then the following scenarios are valid (I denoting an intermediate CA certificate)

X - EE
X - I1 - EE
X - I1 - I2 - EE

不是

X - I1 - I2 - I3 - EE
...

这篇关于证书基本约束的路径长度的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！