为什么 SSL 证书是用私钥签名的?
Why SSL certificates are signed with private key?
据我所知,所有 SSL 证书都是使用非对称 pub/priv 密钥对的 public 密钥签署的。
但是所有(至少我检查过的)互联网上的示例都使用私钥
我找到的一种自签名方法是使用以下命令:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
我发现的其他方法是:
sudo openssl genrsa -out mykey.key 2048
sudo openssl req -new -key mykey.key -out mycsr.csr
sudo openssl x509 -req -days 365 -in mycsr.csr -signkey mykey.key -out mycert.crt
以上示例是否使用 public 密钥创建证书或私钥。如果是私钥,它是正确的用法吗?
还有一件事,
自签名与 CA 签名证书有什么区别。
证书中是否有签名机构的任何其他信息?
CA 签名究竟意味着什么?
他们是使用自己的私钥签名还是这是怎么回事?
编辑:
以上说法As far as I read来自以下网站第2点。
我对 SSL 概念的理解可能完全错误
http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
如果私钥用于签署证书并且在 apache http 服务器配置中使用相同的私钥我仍然很困惑浏览器将从哪里获得 public 初始 SSL 握手中的密钥
我指的是apache httpd的如下配置
<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>
更新:
我特意指出上面 link 的 section 1.2.2 其中指出
This someone, you have to implicitly trust: you have his/her certificate loaded in your browser (a root Certificate). A certificate, contains information about the owner of the certificate, like e-mail address, owner's name, certificate usage, duration of validity, resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information. It contains also the public key and finally a hash to ensure that the certificate has not been tampered with.
Why SSL certificates are signed with the private key?
因为这就是数字签名的定义方式。使用 public 密钥签名并不能证明任何事情。数字签名必须是只有签名者才能做的事情,就像你在支票上的签名更难伪造一样。更难了。
As far as I read all the SSL certificates are signed using public key of the asymmetric pub/priv key pair.
不,你没有,你误解了你正在阅读的内容。
But all (atleast what I checked) the examples out there on internet are using private key
当然可以。
Are the above examples using public key to create the certificate or private key. If private key, is it a right usage?
他们都在使用。 public 密钥嵌入在证书中,私钥用于签名。
What is the difference from self-signing vs CA signing the certificate.
Is there any additional information of the signing authority present in the certificate?
是的,有一个 IssuerDN 字段。
And what does CA signing actually mean? Do they use their own private keys to sign?
是的。
The above statement As far as I read is from point#2 of the following website.
不,不是。
I could be completely wrong
是的。
If private key is used for signing the certificate and also the same private key is used in apache http server configuration I'm still confused from where will the browser get the public key in its initial SSL handshake
来自证书。
I'm specially pointing to the section 1.2.2 of the above link where it states
[snip] It contains also the public key and finally a hash to ensure that the certificate has not been tampered with.
没有关于使用 public 密钥签署证书的内容。 'Contains' 不代表 'signed with'.
据我所知,所有 SSL 证书都是使用非对称 pub/priv 密钥对的 public 密钥签署的。
但是所有(至少我检查过的)互联网上的示例都使用私钥
我找到的一种自签名方法是使用以下命令:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
我发现的其他方法是:
sudo openssl genrsa -out mykey.key 2048
sudo openssl req -new -key mykey.key -out mycsr.csr
sudo openssl x509 -req -days 365 -in mycsr.csr -signkey mykey.key -out mycert.crt
以上示例是否使用 public 密钥创建证书或私钥。如果是私钥,它是正确的用法吗?
还有一件事,
自签名与 CA 签名证书有什么区别。
证书中是否有签名机构的任何其他信息?
CA 签名究竟意味着什么?
他们是使用自己的私钥签名还是这是怎么回事?
编辑:
以上说法As far as I read来自以下网站第2点。
我对 SSL 概念的理解可能完全错误
http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
如果私钥用于签署证书并且在 apache http 服务器配置中使用相同的私钥我仍然很困惑浏览器将从哪里获得 public 初始 SSL 握手中的密钥
我指的是apache httpd的如下配置
<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>
更新:
我特意指出上面 link 的 section 1.2.2 其中指出
This someone, you have to implicitly trust: you have his/her certificate loaded in your browser (a root Certificate). A certificate, contains information about the owner of the certificate, like e-mail address, owner's name, certificate usage, duration of validity, resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information. It contains also the public key and finally a hash to ensure that the certificate has not been tampered with.
Why SSL certificates are signed with the private key?
因为这就是数字签名的定义方式。使用 public 密钥签名并不能证明任何事情。数字签名必须是只有签名者才能做的事情,就像你在支票上的签名更难伪造一样。更难了。
As far as I read all the SSL certificates are signed using public key of the asymmetric pub/priv key pair.
不,你没有,你误解了你正在阅读的内容。
But all (atleast what I checked) the examples out there on internet are using private key
当然可以。
Are the above examples using public key to create the certificate or private key. If private key, is it a right usage?
他们都在使用。 public 密钥嵌入在证书中,私钥用于签名。
What is the difference from self-signing vs CA signing the certificate. Is there any additional information of the signing authority present in the certificate?
是的,有一个 IssuerDN 字段。
And what does CA signing actually mean? Do they use their own private keys to sign?
是的。
The above statement As far as I read is from point#2 of the following website.
不,不是。
I could be completely wrong
是的。
If private key is used for signing the certificate and also the same private key is used in apache http server configuration I'm still confused from where will the browser get the public key in its initial SSL handshake
来自证书。
I'm specially pointing to the section 1.2.2 of the above link where it states
[snip] It contains also the public key and finally a hash to ensure that the certificate has not been tampered with.
没有关于使用 public 密钥签署证书的内容。 'Contains' 不代表 'signed with'.