添加的内容 删除的内容
小 (移除无用链接) |
无编辑摘要 |
||
| 第179行: | 第179行: | ||
}} |
}} |
||
</ref> |
</ref> |
||
== X.509证书样例 == |
|||
下面是[[GlobalSign]]颁发的用于wikipedia.org以及一些其它Wikipedia网站X.509证书。证书颁发者填在颁发者(Issuer)字段,主题内容里是组织机构Wikipedia的描述,主题备用名称是那些采用该证书的服务器的主机名。主题公钥里的信息表明采用的是[[椭圆曲线]]公共密钥,位于最后的签名算法表示它是由GlobalSign用其私钥并采用带[[RSA]]加密的SHA-256算法进行签名的。 |
|||
=== 最终實體證書(或者叫叶子证书) === |
|||
認證: |
|||
版本: 3 (0x2) |
|||
序號: 10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6 |
|||
簽章演算法: sha256WithRSAEncryption |
|||
發行者: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 |
|||
有效期開始時間: Nov 21 08:00:00 2016 GMT |
|||
有效期結束時間: Nov 22 07:59:59 2017 GMT |
|||
主體: C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org |
|||
主體公鑰信息(subject public key info): |
|||
公鑰算法: id-ecPublicKey |
|||
256位的公鑰: |
|||
04:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5: |
|||
af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e: |
|||
ed:b2:ac:2a:1b:4a:ec:80:7b:e7:1a:51:e0:df:f7: |
|||
c7:4a:20:7b:91:4b:20:07:21:ce:cf:68:65:8c:c6: |
|||
9d:3b:ef:d5:c1 |
|||
ASN1 OID: prime256v1 |
|||
NIST CURVE: P-256 |
|||
額外資訊(extension): |
|||
密鑰使用: |
|||
敏感訊息(critical):是 |
|||
公鑰用途:數位簽章,密鑰協商Key Agreement |
|||
授權相關訊息: |
|||
敏感訊息(critical):否 |
|||
頒發者URI:<nowiki>http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt</nowiki> |
|||
線上憑證狀態協定(OCSP)URI:<nowiki>http://ocsp2.globalsign.com/gsorganizationvalsha2g2</nowiki> |
|||
證書原則(Certificate Policies): |
|||
敏感訊息(critical):否 |
|||
policy ID#1: 1.3.6.1.4.1.4146.1.20 |
|||
CPS URI: <nowiki>https://www.globalsign.com/repository/</nowiki> |
|||
policy ID#2: 2.23.140.1.2.2 |
|||
基本限制: |
|||
CA:FALSE |
|||
憑證撤銷中心(X509v3 CRL Distribution Points): |
|||
敏感訊息(critical):否 |
|||
URI:<nowiki>http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl</nowiki> |
|||
主體備用名稱: |
|||
敏感訊息(critical):否 |
|||
DNS:*.wikipedia.org, DNS:*.m.mediawiki.org, DNS:*.m.wikibooks.org, DNS:*.m.wikidata.org, DNS:*.m.wikimedia.org, DNS:*.m.wikimediafoundation.org, DNS:*.m.wikinews.org, DNS:*.m.wikipedia.org, DNS:*.m.wikiquote.org, DNS:*.m.wikisource.org, DNS:*.m.wikiversity.org, DNS:*.m.wikivoyage.org, DNS:*.m.wiktionary.org, DNS:*.mediawiki.org, DNS:*.planet.wikimedia.org, DNS:*.wikibooks.org, DNS:*.wikidata.org, DNS:*.wikimedia.org, DNS:*.wikimediafoundation.org, DNS:*.wikinews.org, DNS:*.wikiquote.org, DNS:*.wikisource.org, DNS:*.wikiversity.org, DNS:*.wikivoyage.org, DNS:*.wiktionary.org, DNS:*.wmfusercontent.org, DNS:*.zero.wikipedia.org, DNS:mediawiki.org, DNS:w.wiki, DNS:wikibooks.org, DNS:wikidata.org, DNS:wikimedia.org, DNS:wikimediafoundation.org, DNS:wikinews.org, DNS:wikiquote.org, DNS:wikisource.org, DNS:wikiversity.org, DNS:wikivoyage.org, DNS:wiktionary.org, DNS:wmfusercontent.org, DNS:wikipedia.org |
|||
(在額外訊息中的)密鑰使用目的: |
|||
敏感訊息(critical):否 |
|||
目的1:TLS Web伺服器鑑定 |
|||
目的2:TLS Web客户端鑑定 |
|||
主體密鑰識別代碼(Subject Key Identifier): |
|||
敏感訊息(critical):否 |
|||
密鑰id: 28:2A:26:2A:57:8B:3B:CE:B4:D6:AB:54:EF:D7:38:21:2C:49:5C:36 |
|||
授權密鑰識別代碼(X509v3 Authority Key Identifier): |
|||
敏感訊息(critical):否 |
|||
密鑰id:96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C |
|||
簽章算法: sha256WithRSAEncryption |
|||
數位簽章: 8b:c3:ed:d1:9d:39:6f:af:40:72:bd:1e:18:5e:30:54:23:35: |
|||
... |
|||
要验证这个证书,我们需要一个跟该证书颁发者及授权密钥标识符 |
|||
{| class="wikitable" |
|||
|颁发者 |
|||
|C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 |
|||
|- |
|||
|授权密钥标识符 |
|||
|96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C |
|||
|}都匹配的中间证书 |
|||
配置正确的服务器可以在TLS连接建立的握手阶段同时提供其中间证书。但是也有可能需要根据证书里颁发者的URL去取得中间证书。 |
|||
=== 中间证书 === |
|||
下面是[[证书颁发机构]]的证书示例。该证书是由下例根证书签名的用于颁发上例最终实体证书的证书。当然它的主题标识符跟上例证书的授权密钥标识符是相匹配的。 |
|||
证书: |
|||
版本: 3 (0x2) |
|||
序列号: 04:00:00:00:00:01:44:4e:f0:42:47 |
|||
签名算法: sha256WithRSAEncryption |
|||
颁发者: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA |
|||
此前无效: Feb 20 10:00:00 2014 GMT |
|||
此后无效: Feb 20 10:00:00 2024 GMT |
|||
主题: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 |
|||
主题公钥信息: |
|||
公钥算法: rsaEncryption |
|||
2048位的公钥: |
|||
00:c7:0e:6c:3f:23:93:7f:cc:70:a5:9d:20:c3:0e: |
|||
... |
|||
指数: 65537 (0x10001) |
|||
X509 v3扩展: |
|||
X509v3 密钥使用: |
|||
关键:是 |
|||
用于:证书签名, CRL签名 |
|||
基本约束: |
|||
关键:是 |
|||
证书颁发机构:是 |
|||
路径长度限制:0 |
|||
主题密钥标识符: |
|||
关键:否 |
|||
密钥: 96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C |
|||
96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C |
|||
证书策略: |
|||
关键:否 |
|||
策略1: 任何策略标识符 |
|||
CPS URI: <nowiki>https://www.globalsign.com/repository/</nowiki> |
|||
CRL 分发点: |
|||
关键:否 |
|||
URI:<nowiki>http://crl.globalsign.net/root.crl</nowiki> |
|||
授权相关信息: |
|||
关键:否 |
|||
在线证书状态协议(OCSP)URI:<nowiki>http://ocsp.globalsign.com/rootr1</nowiki> |
|||
授权密钥标识符: |
|||
关键:否 |
|||
密钥:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B |
|||
签名算法: sha256WithRSAEncryption |
|||
数字签名:46:2a:ee:5e:bd:ae:01:60:37:31:11:86:71:74:b6:46:49:c8: |
|||
... |
|||
=== 根证书 === |
|||
下面是证书颁发机构的自签名根证书。它的颁发者和主题是相同的,可以用自身的公钥进行合法认证。证书认证过程也将在此终止。如果应用已经在它的可信公钥存贮里已经含有该公钥证书,那么TLS连接时的那个最终实体证书是可信的,否则就是不可信的。 |
|||
证书: |
|||
版本: 3 (0x2) |
|||
序列号: 04:00:00:00:00:01:15:4b:5a:c3:94 |
|||
Signature Algorithm: sha1WithRSAEncryption |
|||
Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA |
|||
Validity |
|||
Not Before: Sep 1 12:00:00 1998 GMT |
|||
Not After : Jan 28 12:00:00 2028 GMT |
|||
Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA |
|||
Subject Public Key Info: |
|||
Public Key Algorithm: rsaEncryption |
|||
Public-Key: (2048 bit) |
|||
Modulus: |
|||
00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b: |
|||
... |
|||
Exponent: 65537 (0x10001) |
|||
X509v3 extensions: |
|||
X509v3 Key Usage: critical |
|||
Certificate Sign, CRL Sign |
|||
X509v3 Basic Constraints: critical |
|||
CA:TRUE |
|||
X509v3 Subject Key Identifier: |
|||
60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B |
|||
Signature Algorithm: sha1WithRSAEncryption |
|||
d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5: |
|||
... |
|||
== 安全性 == |
== 安全性 == |
||