客户端验证(1.3.6.1.5.5.7.3.2)服务器证书中的OID [英] Client Authentication (1.3.6.1.5.5.7.3.2) OID in server certificates
问题描述
对于我正在开发的项目,我必须生成Web服务器证书。
据我所知,服务器证书应该包含服务器认证OID(1.3.6.1.5.5.7.3.1)。但是,我看到由知名发行者(如Verisign)发出的所有服务器证书还包含客户端认证OID(1.3.6.1.5.5.7.3.2)。
我试图使用只有服务器身份验证的证书OID - 似乎它工作正常。
问题
- 为什么服务器证书需要客户端认证OID?
- 是否需要一些旧版支持或有其他原因吗?
对于使用证书作为服务器(在
在双向SSL连接中,客户端(在 em>启动连接结束)将证书送回服务器,它必须具有客户端扩展密钥用法。
如果您从未使用过证书作为客户端证书,您将不需要客户端身份验证OID。
For a project I'm working on I have to generate web server certificate. As I understand it, server certificates should contain the Server Authentication OID (1.3.6.1.5.5.7.3.1). But as I see all server certificates issued by well known issuers like Verisign contain also Client Authentication OID (1.3.6.1.5.5.7.3.2).
I tried to use certificate with only server authentication OID - seems it works fine.
Questions
- Why is the client authentication OID needed for server certificates?
- Is it needed for some legacy support or there is another reason for it?
The difference between the two is exactly how they're described.
For using a certificate as a server (on the receiving end of the connection), it must have the Server extended key usage.
In a 2-way SSL connection, where the client (on the initiating end of the connection) presents a certificate back to the server, it must have the Client extended key usage.
If you're never using the certificate as a client cert, you won't need the Client Authentication OID.
这篇关于客户端验证(1.3.6.1.5.5.7.3.2)服务器证书中的OID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!