信任库需要子CA证书吗？ [英] Does a truststore need the sub-ca certificate?

问题描述

我正在尝试设置层次PKI。我可以创建一个只包含根CA证书的信任库，这是否意味着我的应用程序信任由子CA证书签名的证书，后者又由根CA签名？

另外，你似乎必须提供一个完整的证书链，包括根ca证书。当然，如果根CA是可信的，证书应该不需要发送？

解决方案

信任存储应该仅包含根CA，不是中间体。

身份存储应包含私钥，每个都与其证书链相关联，但根除外。

很多，很多应用程序在野外配置错误，当尝试识别自己（例如，服务器用SSL验证自己）时，他们只发送自己的证书，并缺少中间体。有更少的错误地发送根作为链的一部分，但这是更少的危害。大多数证书路径构建器只会忽略它，并从他们的信任密钥存储中找到一个根的路径。

原始问题中的假设是目标上的假设。 p>

I'm trying to setup a hierarchical PKI. Can I create a truststore containing only the root ca certificate, and will that mean my application trusts certificates signed by a sub-ca certificate which is in turn signed by the root ca?

As an aside, it seems that you must provide an entire certificate chain, including the root ca certificate. Surely if the root ca is trusted, the certificate shouldn't need to be sent? We just want to check if the next certificate down is signed by it.

解决方案

The trust store should only contain the root CAs, not intermediates.

An identity store should contain private keys, each associated with its certificate chain, except for the root.

Many, many applications in the wild are misconfigured, and when trying to identify themselves (say, a server authenticating itself with SSL), they only send their own certificate, and are missing the intermediates. There are fewer that mistakenly send the root as part of the chain, but this is less harmful. Most certificate path builders will just ignore it, and find a path to a root from their trusted key store.

The suppositions in the original question are right on target.

这篇关于信任库需要子CA证书吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！