自签名CA和自签名证书的区别 [英] Difference between self-signed CA and self-signed certificate
问题描述
我不清楚 CA 密钥和证书之间的区别.CA 密钥不只是一个证书吗?让我试着用一个例子来澄清.
I'm not clear on the difference between a CA key and a certificate. Isn't a CA key simply a certificate? Let me try and clarify with an example.
我有一个客户端和一个服务器.我只是想验证我与服务器的连接,而不是试图与他人建立信任,所以我不在乎使用真正的 CA 进行签名.
I have a client and a server. I'm only trying to validate my connection to my server and not trying to establish trust to others so I don't care about signing with a real CA.
选项 1: 生成自签名 CA (ssCA) 并使用它来签署证书 (C).然后,我将 ssCA 安装到我客户端的根密钥库中,并将我的服务器设置为使用证书 C.
Option 1: Generate a self-signed CA (ssCA) and use that to sign a certificate (C). I then install ssCA into the root keystore on my client and setup my server to use certificate C.
选项 2: 生成自签名证书 (SSC).将 SSC 安装到我客户端的根密钥库中.设置我的服务器以使用证书 SSC.
Option 2: Generate a self-signed certificate (SSC). Install SSC into the root keystore on my client. Setup my server to use certificate SSC.
第二个选项似乎是一个更简单的过程.那还能用吗?
The second option seems like a much simpler process. Should that still work?
推荐答案
两个选项都有效,选项 2 更简单.
Both options are valid, option 2 is simpler.
当您需要多个证书时,最好选择选项 1(设置您自己的 CA).在公司中,您可能会设置自己的 CA 并在所有客户端的根密钥库中安装该 CA 的证书.然后,这些客户端将接受您的 CA 签署的所有证书.
Option 1 (setting up your own CA) is preferable when you need multiple certificates. In a company you might set up your own CA and install that CA's certificate in the root keystore of all clients. Those clients will then accept all certificates signed by your CA.
选项 2(在没有 CA 的情况下自签名证书)更容易.如果您只需要一个证书,那么这就足够了.将它安装在您客户端的密钥库中,您就完成了.但是当您需要第二个证书时,您需要在所有客户端上再次安装它.
Option 2 (self-signing a certificate without a CA) is easier. If you just need a single certificate, then this is sufficient. Install it in the keystores of your clients and you are done. But when you need a second certificate, you need to install that again on all clients.
这是包含更多信息的链接:创建证书颁发机构和自签名 SSL 证书
Here is a link with further information: Creating Certificate Authorities and self-signed SSL certificates
这篇关于自签名CA和自签名证书的区别的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
