ACME - 使用 SAN 获取子域证书
ACME - Acquire certificate for subdomains with SAN
我对即将推出的 Automated Certificate Management Environment (ACME) 很感兴趣。我下载了演示并在我的主域中进行了试用。
我还有一个问题:
使用常规认证过程,我能够获得 SAN 证书,这样我就可以在我的服务器上设置它 (Node.js) 并为所有子域(即虚拟主机)提供它。问题是 current draft 声明如下:
Key Authorization
This process may be repeated to associate multiple identifiers to a key pair (e.g., to request certificates with multiple identifiers)
这是否意味着我需要为每个单独的子域颁发从相同密钥生成的新证书,即使它们属于同一主域 ("main identifier")?
谢谢你的回答。
我的理解
to request certificates with multiple identifiers
您将能够将多个域关联到一个证书。这些域很可能会在证书的主题备用名称扩展中说明。
每个域都将由 CA 验证,并且只有经过验证的域才会放入颁发的证书中。
规范中没有写清楚,但在阅读第 5.6 节后对我来说确实有意义,具体来说
The CSR encodes the client’s requests with regard to the content of
the certificate to be issued. The CSR MUST contain at least one
extensionRequest attribute [RFC2985] requesting a subjectAltName
extension, containing the requested identifiers.
The values provided in the CSR are only a request, and are not
guaranteed. The server or CA may alter any fields in the certificate
before issuance. For example, the CA may remove identifiers that are
not authorized for the key indicated in the “authorization” field.
我对即将推出的 Automated Certificate Management Environment (ACME) 很感兴趣。我下载了演示并在我的主域中进行了试用。 我还有一个问题: 使用常规认证过程,我能够获得 SAN 证书,这样我就可以在我的服务器上设置它 (Node.js) 并为所有子域(即虚拟主机)提供它。问题是 current draft 声明如下:
Key Authorization
This process may be repeated to associate multiple identifiers to a key pair (e.g., to request certificates with multiple identifiers)
这是否意味着我需要为每个单独的子域颁发从相同密钥生成的新证书,即使它们属于同一主域 ("main identifier")?
谢谢你的回答。
我的理解
to request certificates with multiple identifiers
您将能够将多个域关联到一个证书。这些域很可能会在证书的主题备用名称扩展中说明。
每个域都将由 CA 验证,并且只有经过验证的域才会放入颁发的证书中。
规范中没有写清楚,但在阅读第 5.6 节后对我来说确实有意义,具体来说
The CSR encodes the client’s requests with regard to the content of the certificate to be issued. The CSR MUST contain at least one extensionRequest attribute [RFC2985] requesting a subjectAltName extension, containing the requested identifiers.
The values provided in the CSR are only a request, and are not guaranteed. The server or CA may alter any fields in the certificate before issuance. For example, the CA may remove identifiers that are not authorized for the key indicated in the “authorization” field.