中间根权限跨链验证 [英] intermediate root authority cross chain validation
问题描述
我创建了一个根 CA(CA-R)和两个中间 CA(CA-I1 和 CAI2)(都是自签名的).
使用 CA-I1,我为 server1/client1、CSR & 生成了一个私钥.创建了证书.为 Server1(Apache2) 和 client1 安装了证书.我能够使用我的 client1(python 客户端)成功连接到 server1.
这是链->client1->server1->CA-I1->root CA使用 CA-I2,我为 server2/client2、CSR & 生成了一个私钥.创建了证书.安装了 Server2(Apache2) 和 client2 的证书.我能够使用我的 client2(python 客户端)成功连接到 server2.
这是链->客户端2->服务器2->CA-I2->根CA.现在,我想知道是否可以通过添加 python 客户端的 CA-I1 证书(因为 CA-I1 和 CA-I2 都来自同一个根 CA)来使用 client2 连接到 server1.主要想知道能不能跨链认证.
这里是链 -> client1->server1->CA-I1->root CA
我希望您没有像您的问题所暗示的那样使用服务器证书签署客户端证书,而是使用 CA 证书(即 CA-I1、CA-I2)签署了客户端证书.否则,这仅在服务器证书既用作服务器身份验证的叶证书又用作 CA 证书来签署客户端证书时才有效.这些不同类型的用例最好不要合并到一个证书中.因此,您实际应该使用的是:
server1 ->CA-I1 ->根CA客户端 1 ->CA-I1 ->根CAserver2 ->CA-I2 ->根CA客户端 2 ->CA-I2 ->根CA<块引用>
...如果使用 client2,我可以通过添加 CA-I1 的证书来连接到 server1(因为 CA-I1 和 CA-I2 都来自同一个根 CA)部分的 python 客户端
每个客户端和服务器可以信任多个 CA,用于客户端和服务器证书验证的证书实际上可以不同.但是,考虑到 server1 信任任何由根 CA 签署的用于客户端身份验证的证书,它将信任 client1 和 client2,前提是构建到根 CA 的信任链所需的所有中间证书都由客户端与叶证书一起发送.这与服务器身份验证没有区别.
I have created a root CA(CA-R) and two intermediary CA's(CA-I1 & CAI2)(all self-signed).
Using CA-I1, I generated a private key for a server1/client1, CSR & created the certs. Installed the certs for Server1(Apache2) and client1.Im successfully able to connect to the server1 using my client1(python client).
Here is the chain -> client1->server1->CA-I1->root CA
Using CA-I2, I generated a private key for a server2/client2, CSR & created the certs. Installed the certs for Server2(Apache2) and client2. Im successfully able to connect to the server2 using my client2(python client).
Here is the chain -> client2->server2->CA-I2->root CA.
Now, I would like to know if using client2 can I connect to server1 by adding the certs of the CA-I1(as both CA-I1 & CA-I2 are from same Root CA)part of python client. Basically want to know if I can cross chain authenticate.
Here is the chain -> client1->server1->CA-I1->root CA
I hope you did not sign the client certificates with the server certificates as your question suggests but that you signed the client certificates with the CA certificates (i.e. CA-I1, CA-I2). Otherwise this would only work if the server certificate would be both used as a leaf certificate for server authentication and as a CA certificate to sign the client certificate. These different kinds of use cases are better not merged into a single certificate. Thus what you should actually use is:
server1 -> CA-I1 -> root-CA
client1 -> CA-I1 -> root-CA
server2 -> CA-I2 -> root-CA
client2 -> CA-I2 -> root-CA
... if using client2 can I connect to server1 by adding the certs of the CA-I1(as both CA-I1 & CA-I2 are from same Root CA)part of python client
Each client and server can trust several CA and the certificates used for client and server certificate validation can actually be different. But, considering that server1 trusts any certificate signed by root-CA for client authentication it will trust both client1 and client2, providing that all intermediate certificates needed to build the trust chain to root-CA are sent by the client together with the leaf certificate. This is not different from server authentication.
这篇关于中间根权限跨链验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
