签署证书的解决方案 [英] Solutions to sign certificates

问题描述

对于具有多个应用程序服务器和多个客户端的系统，我想介绍相互验证以及TLS提供的其他安全保护。

For a system with multiple application servers and multiple clients, I would like to introduce mutual authentication as well as other security protections provided by TLS.

服务器和客户端

每个实体（客户端或服务器）都有自己的密钥库，用于存储其私钥/公钥对和X.509证书，包装公钥。但是，在这一点上，证书是自签名的。因此，它不会被其他通信实体验证。经过一些研究，我已经查看了一些解决方案：

Each entity (client or server) has its own keystore that stores its private/public key pair and a X.509 certificate that wraps the public key. But, at this point, the certificate is self-signed. So, it will not be verified by the other communicating entities. After some research, I've looked at some solutions:

1. 创建将签署证书的私有CA。如果I
   理解得很好，CA的证书必须存在于每个实体的
   信任库中，以便其他实体的证书可以使用CA的证书来验证
   。


2. 创建专用CA作为第一个解决方案。但是，私人CA的证书由商业CA（例如，Verisign）签名。 I
   不知道它添加到以前的解决方案中。


3. 由商业CA签署每个实体的证书。但这种解决方案似乎很贵。


4. 仅使用自签名证书。每个实体的证书都由它自己签名，并且必须添加到它想要与之通信的每个
   实体的信任库中。

1. Creating a private CA that will sign the certificates. If I understand well, the CA's certificate must be present in the truststore of each entity so that certificates of other entities may be verified using the CA's certificate.
2. Creating a private CA as the first solution. But, the private CA's certificate is signed by a commercial CA (e.g. Verisign). I don't know what it adds to the previous solution.
3. Signing each entity's certificate by a commercial CA. But this solution seems expensive.
4. Use of self-signed certificates only. Each entity's certificate is self-signed by it and must be added to the truststore of each entity it wants to communicate with.

<这是我第一次的安全经验。

It's my first experience with security. Among the solutions that you consider as valid, which one do you recommend?

感谢

推荐答案

我已编号了您的选项，以便阅读。

I've numbered your options for easier reading.

您的选择4具有与第一个类似的安全和管理细节。也就是说您的选项将缩小为自己的vs第三方CA服务。虽然你可以从CA权威购买你自己的CA证书，它会花费，emm，很多。但是很多是由CA推销员根据具体情况决定的。

Your option 4 has comparable security and management specifics as the first one. I.e. your options are narrowed down to own-vs-thirdparty CA services. While you can buy your own CA certificate from CA authority, it would cost, emm, a lot. But how much is "a lot" is determined on case by case basis by CA salesmen.

在管理复杂性方面，我将它们按照以下顺序排列（首先是最简单的）：
3，1，2，4

In terms of management complexity I'd put them in the following order (first is the easiest): 3, 1, 2, 4

在选项1,2,4中，您必须管理您的证书，这需要知道PKI及其安全程序（除了纯技术性之外，您还需要确保私钥是受保护的）和用于证书生成和管理的软件（openssl等等对于大多数活动是不够的，并且很可能你需要编写自己的代码来生成证书）。

In options 1, 2, 4 you have to manage your certificates which requires both knowledge of PKI and it's security procedures (besides purely technical, you will need to ensure that private keys are protected) and software for certificate generation and management (openssl and alike won't be enough for most activities, and most likely you will need to write your own code for certificate generation).

这是一个好主意，有一个OCSP服务器，你必须运行自己的情况下的选项1,2和4.

And it's a good idea to have an OCSP server too, which you would have to run yourself in case of options 1, 2, 4.

这篇关于签署证书的解决方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！