Self-signed certificate
After the CA certificate issued can be extended into proprietary extensions and standard extensions, proprietary extensions for the self-signed certificate that is issued a certificate by the users themselves, rather than a CA issued by the general browser does not integrate with the word root certificate signed certificates, so when accessing such sites, the browser will be prompted to give the certificate is secure and can be forged. Of course, users can also choose to trust the certificate, and then continue TLS handshake process / SSL, and after the completion of the handshake, TLS / SSL encryption and other data still provide integrity protection. Self-signed certificates are typically used internally, or in a test environment, according to whether the certificate is revoked, is divided into self-signed certificate and private self-signed CA certificate, a self-signed certificate is not revoked private, and can be self-signed CA certificate revocation, not to proceed here in detail.
Standard certificate extensions
Back certificate extension, an extension of the self-signed certificate is called a private extension for the CA certificate issued by the criteria were expanded to standard extensions. You may have a lot of extensions, SAN extension, a key identifier, key usage and basic constraints.
SAN extension
SAN extension, i.e. Subject Alternative Name, a user may select names. subjectAltName property item contains the IP addresses, domain names and e-mail address, etc., and the values of these properties can be more than one, such as domain name, the domain name to take an example, the CA certificate, the certificate is owned by a multiple domain names, will have to use Subject child who was placed in a main domain, and then placed in the SAN extension of the other domain, and the first item in the SAN extension of primary domain DNS name Subject subkey user to see the specific example, the CSDN certificates website:
User Subject children into primary domain name in the CN = * .csdn.net
It can be seen in SAN extensions of the certificate, the first DNS Name and Subject child user name is the same, can be extended by multiple domain names to a certificate extensions.
User key identifier and key identifier CA
CA key identifier indicates that the certificate issued by the CA which institutions, as well as the address of the intermediate certificate, a CA to issue server certificates through intermediate CA certificate. The user identifier is used to identify the key server entity.
Basic Constraints
基本约束扩展用来标识这个CA证书可不可以签发证书,没错就是由证书来签发其他服务器实体证书,而不是通过CA机构签发。因为如果所有的服务器实体证书都由CA机构来签发,那么CA机构的工作量非常大,受信任的CA机构并不多,所以CA机构采取授权给二级CA机构的方式来签发和管理证书申请,也就是说,有授权的二级CA机构也可以为服务器实体签发证书。受信任的一级CA机构有根证书可以签发二级CA机构证书,也就是中间证书,然后二级CA机构可以签发服务器实体证书。基本约束的默认值是false,标识该证书只能用于身份验证,不能签发其他服务器实体证书。还有一个属性Path Length Constraint标识该证书可以签发多少层级的证书。
CRL分发点
CRL,Certificate Revocation List,证书吊销列表,是TLS/SSL协议的一部分,CRL是一个黑名单文件,里面存放了所有CA机构签发的已被吊销的证书,包括每一张证书被吊销被吊销的原因,如果浏览器在校验服务器身份时发现其证书的序列号在CRLs(Certificate Revocation Lists)黑名单中,则表示该证书是已经被吊销了的。
那么CRL分发点又是什么?CRL分发点是互联网上的一个地址,证书中的扩展项中有CRL分发点,浏览器可以根据扩展项中的CRL分发点来校验该证书是否被吊销,通过该分发点下载全部CRL文件,然后校验出被吊销的证书。
证书分类
最常见的证书类型是DV证书(Domain Validated),适合个人网站,请求该类证书的速度较快,审核较宽松,因为DV证书只需要验证域名信息,在服务器实体申请证书的CSR文件里,包含了服务器实体的域名,CA机构校验域名是真的属于该服务器后,便审核通过,签发DV证书给服务器实体。不过从DV证书的申请大致流程可以看到,CA机构重点校验的是域名信息,不会对服务器实体身份做严格的审查,所以容易出现攻击者对DNS攻击后使用同样的域名冒充服务器实体去申请证书。
第二类,OV证书(Organization Validated),则会严对服务器实体的身份信息进行审查,适合企业等机构对安全性的高要求。一个企业申请OV证书,除了域名审查等信息外,还要审查企业地址,企业资质等信息,通过了审核的颁发的OV证书通常会被所有的常用浏览器信任,访问该服务器时也能看到那个“绿色的小锁”。OV证书的申请审核时间通常比DV证书长。
第三类EV证书(Extended Validation),对于身份信息的审核比DV和OV证书都要严格,根据Baseline Requirement标准来审核服务器实体的身份,Baseline Requirement标准和X.509标准不同之处在于,X.509标准用来约束证书的结构,Baseline Requirement标准则是用来约束对证书申请者的身份信息审核流程。一般对于银行,电商等对安全性要求极高的机构会申请EV证书,审核的信息包括机构的地址,营业执照等,申请审核时间也是最长的,比OV证书要长,申请费用也更高。拥有EV证书的服务器访问时除了会有“绿色小锁”标志外,还会显示该企业的名字,而DV证书和OV证书只会显示“绿色小锁”标志。
单域名证书和泛域名证书
注册域
在服务器域名中,基于一个注册域,可以分配出多个子域名。例如www.zzzjustin.com中,zzzjustin.com是注册域,基于这个注册域,我们可以分配出多个主机,如www1.zzzjustin.com和www2.zzzjustin.com等,在注册域签名加上“.”,表示的是这些子域名的几个,.zzzjustin.com称为泛域名。
如果一个企业为一个注册域zzzjustin.com申请了证书,之后又想分配一个新的主机www1.zzzjustin.com,那么企业无需为这个新主机重新申请证书,而是直接把该主机合并到与注册域zzzjustin.com同一个证书中就可以了。这类将多个主机包含在一张证书中称为泛域名证书,每次一个注册域新增加一个主机时,都不需要重新申请证书。对应的也有单域名证书,即一个域名只对应一张证书,该证书只保护一个域名。
那如果一个企业有多个注册域呢?例如www.zzzjustin.com和www.zzzjustin.cn,这种情况可以申请SAN证书,将多个注册域合并到一张证书中。
