X.509证书验证过程 [英] X.509 certificate validation process

问题描述

我一直在阅读x.509证书，但我不太了解整个过程的工作原理。

I have been reading on x.509 certificates and I just don't quite get how the entire process works.

所以我是这样理解的：
CA是生产证书的公司。
某人想要使用一个人，例如银行网站，与CA联系并购买包含公钥的证书，以对该网站的消息进行编码，只能由该站点的私钥解码。

so this is how I understand it: the CA is some company which produces certificates. someone who wants to use one, like a bank website, contacts the CA and buys a certificate containing the public key to encode the messages for the website, which can only be decoded by the sites private key.

这是我感到困惑的地方-用户（某些Web浏览器）如何检查收到的证书是否真实，并且确实来自正确的站点？它怎么知道它仍然有效？
进行了哪些检查以确保一切正常？

this is where I get confused - how does the user (some web browser), checks that the certificate it received is actually true and really came from the correct site? how does it know its still valid? what kind of checks are made to make sure everything is OK?

推荐答案

CA不仅签署了服务器（银行网站），但也有由根CA签名的自己的证书（由CA签名的CA）。根CA将其证书提供给浏览器供应商，并将其包含在受信任的根证书集中。

The CA not only signs the certificate of the server (bank website) but also has its own certificate signed by (a CA which has its certificate signed by...) a root CA. The root CA gives its certificate to the browser vendor which includes it in its set of trusted root certificates.

整个过程基于信任链的思想：签署证书意味着如果您信任我（根或中级CA），则可以信任他（中级CA或服务器）。您的浏览器只需要信任根CA（它具有证书）就可以确定它是否可以信任服务器（银行网站）。请参见 https://en.wikipedia.org/wiki/Chain_of_trust

The whole thing builds on the idea of a "chain of trust": Signing a certificate means "If you trust me (root or indermediate CA), than you can trust him (intermediate CA or server)". Your browser only needs to trust the root CA (which it has the certificate of) to be able to find out if it can trust the server (bank website). See https://en.wikipedia.org/wiki/Chain_of_trust

证书可能无效，例如由于安全漏洞（例如私钥被盗）。这样的事件被指示给CA，CA公开提供此信息。浏览器可以通过证书吊销列表（CRL）或在线证书状态协议（OCSP）访问此信息。浏览器的配置方式应使其不接受无法验证其仍然有效的证书。请参见 https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

Certificates may become invalid, e.g. due to security breach (e.g. private key stolen). Such event is indicated to the CA which provides this information publicly. The browser can access this information by Certificate Revocation Lists (CRLs) or by Online Certificate Status Protocol (OCSP). Browsers should be configured in such a way as to not accept certificates which it can not verify to be still valid. See https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

这篇关于X.509证书验证过程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！