自签名 CA 和自签名证书之间的区别 [英] Difference between self-signed CA and self-signed certificate
问题描述
我不清楚 CA 密钥和证书之间的区别.CA 密钥不就是证书吗?让我试着用一个例子来澄清一下.
I'm not clear on the difference between a CA key and a certificate. Isn't a CA key simply a certificate? Let me try and clarify with an example.
我有一个客户端和一个服务器.我只是试图验证我与服务器的连接,而不是试图建立对他人的信任,所以我不关心与真正的 CA 进行签名.
I have a client and a server. I'm only trying to validate my connection to my server and not trying to establish trust to others so I don't care about signing with a real CA.
选项 1: 生成自签名 CA (ssCA) 并使用它来签署证书 (C).然后,我将 ssCA 安装到客户端的根密钥库中,并将服务器设置为使用证书 C.
Option 1: Generate a self-signed CA (ssCA) and use that to sign a certificate (C). I then install ssCA into the root keystore on my client and setup my server to use certificate C.
选项 2: 生成自签名证书 (SSC).将 SSC 安装到我的客户端的根密钥库中.设置我的服务器以使用证书 SSC.
Option 2: Generate a self-signed certificate (SSC). Install SSC into the root keystore on my client. Setup my server to use certificate SSC.
第二个选项似乎是一个更简单的过程.那还可以吗?
The second option seems like a much simpler process. Should that still work?
推荐答案
两个选项都有效,选项2更简单.
Both options are valid, option 2 is simpler.
当您需要多个证书时,最好选择选项 1(设置您自己的 CA).在公司中,您可以设置自己的 CA 并将该 CA 的证书安装在所有客户端的根密钥库中.然后,这些客户端将接受您的 CA 签名的所有证书.
Option 1 (setting up your own CA) is preferable when you need multiple certificates. In a company you might set up your own CA and install that CA's certificate in the root keystore of all clients. Those clients will then accept all certificates signed by your CA.
选项 2(在没有 CA 的情况下自签名证书)更容易.如果您只需要一个证书,那么这就足够了.将其安装在客户端的密钥库中,您就完成了.但是当您需要第二个证书时,您需要在所有客户端上重新安装它.
Option 2 (self-signing a certificate without a CA) is easier. If you just need a single certificate, then this is sufficient. Install it in the keystores of your clients and you are done. But when you need a second certificate, you need to install that again on all clients.
这是一个包含更多信息的链接:创建证书颁发机构和自签名 SSL 证书
Here is a link with further information: Creating Certificate Authorities and self-signed SSL certificates
这篇关于自签名 CA 和自签名证书之间的区别的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
