About certificate

其他 2019-04-15 18:18:03 阅读次数: 0

证书spec, X509, 类似规定了一个目录结构。其中重要内容包括

  • issuer: who isued this certificate
  • subject: the ID of this certificate 
  • public key: 
  • validate period
  • sign: the sha of this certificate, encritpted with the issuer's private key. (This is the mechanism how to verify the certificate)
  • in extention, other there is a link to get certificate of issuer. 

DN (distingushed name)

  • include C(country), ST(state), O(organization), OU(部门,可以多个), CN(common name)
  • both Issuer and Subject are DN. 

Certificate formate

  • PEM, base64 encoded DER file, easy to be edited
  • DER, CER, CRT.  same, DER, Distinguished Encoding Rules. openssl -inform der -in a.cert -text -noout
  • P12. Windows specific, contails both public key and private key. So the file itself should be encriypted.
  • p7b, p7c. CRL (certificate revocation list) 常用于证书吊销文件,不包括key
  • JKS. Java Key storage(Java 专利)利用 keytool 管理

应用

  1. Safari and macOS, managed by "keychain access". The each keychain is stored in separated directory. login means the current login user.
  2. Java, keytool 管理,has different location from OS(e.g. /Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home/jre/lib/security/cacerts), so even safari downloaded a Root CA for a website, Java may still not work.  
    1. keytool -list -keystore cacerts
  3. Python: ??? TBD
  4. CN name: https://security.stackexchange.com/questions/40026/openssl-x509-whats-the-significance-of-cn-common-name
  5. curl, use curl -v to see with cacert it is using, maybe /etc/ssl/cacert.pem, makeby $HOME/anaconda/ssl/cacert.pem. 
    1. 手动指定使用某个证书来验证网站 curl --cacert mycertificate.cer -v https://www.google.com

References:

  • cert format,
    • https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
    • https://www.cnblogs.com/guogangj/p/4118605.html
  • https://en.wikipedia.org/wiki/X.509  (X.509 内容说明) , 
    •  PKIX (Public Key Infrastructure X.509)
    •  OCSP (Online Certificate Status Protocol)
  • verify certificate: https://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified
  • Certificate Chain: 
    • https://ssl.comodo.com/articles/understanding-an-ssl-certificate-chain.php
    • https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/

Root certificate

  • Intermediate certifcate
    • client certificate. In SSL, webserver might need to veifiy the certificate of the client. Usually it doesn't.

猜你喜欢

转载自www.cnblogs.com/bob-dong/p/10711884.html
今日推荐
NetBSD 禁止提交由 AI 生成的代码
Apache Doris 2.0.10 版本正式发布!
开源日报 | 大模型开战;大模型独角兽被曝卖身;周鸿祎建议谷歌开源所有产品;最大开源AI社区提供1000万美元共享GPU
开源日报 | Chrome内置Gemini的意义不在于Gemini;中国AI追随之路的五大误区;ECharts创始人“下海”养鱼;谷歌I/O开发者大会什么都有,只是没有惊喜
微软回应中国区AI团队“打包赴美”传闻
基于大语言模型的开源知识库问答系统 MaxKB GitHub Star 数量突破 5,000 个!
周排行
static方法和非static方法的区别(java)
如何查找计算机专业paper
java.lang.ClassFormatError: Incompatible magic value 0 in class file com/sitecha
跳跃游戏II
stm32_之【建立工程】
TeaWeb v0.0.9 发布,统计底层优化、主机监控功能改进
事件分发 -----控制字体大小
JavaScript DOM练习(动态表格添加) December 25,2019
JSF Scope & CDI
实现从零搭建一个登录注册页面(附源代码)
每日归档
更多
2024-05-19(0)
2024-05-18(4)
2024-05-17(34)
2024-05-16(6)
2024-05-15(24)
2024-05-14(0)
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)
2024-05-10(38)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022