我自己为一个域的子域颁发SSL证书,我有一个SSL证书 [英] Issuing SSL certificates myself for subdomains of a domain I have an SSL cert for
问题描述
我想这不可能完成,但是如果是这样,我想知道为什么.
I guess it can't be done, but if so, I'd like to know why.
比方说,我从一个官方证书颁发机构那里获得了example.com的SSL证书.还要说我正在运行a.example.com和b.c.d.example.com,并且也希望为其提供SSL证书.
Let's say I get an SSL certificate for example.com from one of the official certificate authorities around. Let's also say I'm running a.example.com and b.c.d.example.com and would like to have SSL certificates for those as well.
我可以使用example.com证书亲自为a.example.com和b.c.d.example.com颁发证书吗?并且它们会被用户的浏览器识别吗?如果没有,为什么不呢?
Can I use the example.com certificate to issue certificates for a.example.com and b.c.d.example.com myself? And will they be recognized by users' browsers? If not, why not?
(我猜想这是不可能完成的,因为它会破坏利润丰厚的通配符证书业务模型,对吗?)
(My guess that it can't be done is because it would break the very lucrative wildcard cert business model, wouldn't it?)
说明:我不能使用获得了官方证书的密钥对充当自签名"证书颁发机构,而只是将我的官方证书添加到验证链中吗?
Clarification: can't I act as a "self-signed" certificate authority using the keypair for which I obtained the official cert, and simply add my official cert in the validation chain?
推荐答案
您不能使用您的证书来颁发其他证书,因为 证书编码在您的证书中,并且该列表中肯定没有包含证书颁发机构".
You cannot use Your certificate to issue other certificates, because the purposes of the certificate are encoded in Your certificate and "Certificate Authority" is certainly not included in that list.
Web浏览器从您的证书,用于对其进行签名的证书,该证书的签名者等检查证书链".
Web browsers check the "certificate chain" beginning from Your certificate, the certificate that was used to sign it, the signer of that certificate etc.
您的证书必须与当前用例(主要是标识网站")匹配,并且所有签名证书都必须包含证书颁发机构"标志.浏览器必须知道最后一个证书(根证书).
Your certificate must match the current use case (mostly "identify web site") and all signing certificates must include the "Certificate Authority" flag. The last certificate must be known to the browser (root cert).
您已经猜到了,通配符证书可能会对您有所帮助.
As You already guess, wildcard certificates might help in Your case.
这篇关于我自己为一个域的子域颁发SSL证书,我有一个SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
