如何创建亚个人数字证书? [英] How to create a sub-personal digital certificate?

问题描述

我有一个由CA颁发的个人数字证书.

I have a personal, CA issued digital certificate.

我如何制作将与该受信任证书签署的子证书?

How do I make sub-certificates that I will sign with this trusted one?

所以链看起来像这样:VeriSign <- Local CA <- ME <- [ Laptop 1, Laptop 2 ]

So the chain would look like this: VeriSign <- Local CA <- ME <- [ Laptop 1, Laptop 2 ]

推荐答案

要使用您的证书对证书签名，您的证书必须具有x509基本约束扩展名.

To use your certificate sign a certificate, your certificate must have the x509 Basic Constraints extension.

这样做的原因是因为证书从根本上说是一种身份证明，并且要颁发ID，您需要获得认可，以便所有人都知道您是在不检查人员身份的情况下将证书颁发给随机的人/服务器/服务器.这样一来，您便可以在需要时对HTTPS流量执行MITM攻击(只需为域签发证书，然后就可以使用).

The reason for this is because a certificate is fundamentally a form of identification, and to issue an ID you need to be accredited so that everybody knows that you're not issuing certificates to random people/servers without checking the identity of people/servers. This would allow you to perform MITM attacks on HTTPS traffic whenever you felt like it (just issue a cert for the domain and away you go).

是的，一旦人们看到您这样做，您可能会被撤销，但是PKI中的撤销并不完美，主要有两个原因.首先，任何人都可能需要很长时间才能意识到您正在颁发随机证书，因为看起来没有什么不对(忽略证书固定，因为并非所有浏览器都这样做).其次，即使在撤销证书之后，大多数浏览器也无法对撤销信息进行软化(这意味着如果他们无法达到CRL/OCSP，他们会认为证书是正确的)，因此您可以对某人进行DoS.

Yes you could be revoked once people saw you doing it, but revocation in PKI isn't perfect for a two main reasons. Firstly it could take ages for anybody to realise that you're issuing random certs because nothing would look wrong (ignoring certificate pinning because not all browsers do that). Secondly even after it's revoked, most browsers fail soft on revocation information (which means if they can't reach CRLs/OCSP they assume that the cert is fine) and therefore you could just DoS somebody.

您将必须滚动自己的CA来颁发证书，如果希望它们在您的私有域之外受到信任，则必须遵循关于颁发的证书的严格规则并进行定期审核，以确保您遵循这些规则.如果您只是希望他们在私有域中受信任，那么您甚至无需与其他CA进行对话，就可以将CA安装到该域的信任存储中(或安装到该域中的各个计算机上，具体取决于您的设置) ).

You will have to roll your own CA to issue certs and if you want them to be trusted outside of your private domain you will have to follow strict rules about the certificates you issue and undergo regular audits to ensure you are following those rules. If you just want them trusted in a private domain then you don't even need to talk to another CA, you can just install your CA into the trust store of that domain (or onto the individual computers in the domain - depending on your setup).

这篇关于如何创建亚个人数字证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！