如何链接SSL证书 [英] How to chain a SSL certificate

问题描述

有什么方法可以将我们自己生成的密钥对与已链接到根CA的现有证书(例如:verisign)进行链接?基本上我的问题在下图中描述

Is there any way we can chain our own generated key pair with an existing certificate which has been chained to a root CA (eg: verisign)? Basically my question is described in diagram below

Verisign Root CA
     |
     --> Company XYZ certificate
                     |
                     ---> Server foo certificate

一旦我为服务器foo生成了密钥对，如何将其与公司XYZ证书链接?

Once i've generated key pair for server foo, how do I chain it with Company XYZ cert?

推荐答案

如果XYZ公司具有中级证书颁发机构证书即可.此类证书由根CA颁发新证书，并且在创建时由特定属性(基本约束，密钥用法，增强的密钥用法)确定这一事实.

If Company XYZ has an Intermediate Certificate Authority certificate then you can. This kind of certificates are authorized by the root CA to issue new certificates and this fact is determined at creation time by specific properties (Basic Constraints, Key Usage, Enhanced Key Usage).

但是，如果XYZ公司拥有常规证书，例如用于识别网站，电子邮件用户或软件开发人员的证书，则不可能.甚至在实践中，即使没有什么阻止您创建新证书并与另一个证书(如果有私钥)签名的，我也不认为您会获得有效的证书.

But if Company XYZ has a regular certificate, used for example to identify websites, email users or software developers, it is not possible. Even thought in practice nothing stops you from creating a new certificate and signing it with another one (if you have it's private key), I don't think that you will obtain a valid certificate.

因此，如果您拥有正确类型的证书，则必须使用它对foo进行签名.您可以使用 makecert 或打开SSL 用于创建新的

So, if you have the right kind of certificate, you will have to sign foo with it. You can use makecert or open ssl for creating a new X509 Certificate. For example:

makecert -pe -n "CN=foo" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Company XYZ" -is my -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -ss my -sr LocalMachine

您将需要在Windows证书存储区的本地计算机/个人位置中安装公司XYZ的证书.生成的证书将添加到同一位置，并且您可以从那里以各种格式(.pfx，.cer，.p7b)导出它.这还会为新证书创建密钥对.

You will need to have the certificate for the Company XYZ installed in the Local Computer/Personal location in Windows Certificate Store. The resulting certificate will be added in the same place and you will be able to export it from there in various formats (.pfx, .cer, .p7b). Also this creates the keypair for the new certificate.

这篇关于如何链接SSL证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！