• About certificate


    证书spec, X509, 类似规定了一个目录结构。其中重要内容包括

    • issuer: who isued this certificate
    • subject: the ID of this certificate 
    • public key: 
    • validate period
    • sign: the sha of this certificate, encritpted with the issuer's private key. (This is the mechanism how to verify the certificate)
    • in extention, other there is a link to get certificate of issuer. 

    DN (distingushed name)

    • include C(country), ST(state), O(organization), OU(部门,可以多个), CN(common name)
    • both Issuer and Subject are DN. 

    Certificate formate

    • PEM, base64 encoded DER file, easy to be edited
    • DER, CER, CRT.  same, DER, Distinguished Encoding Rules. openssl -inform der -in a.cert -text -noout
    • P12. Windows specific, contails both public key and private key. So the file itself should be encriypted.
    • p7b, p7c. CRL (certificate revocation list) 常用于证书吊销文件,不包括key
    • JKS. Java Key storage(Java 专利)利用 keytool 管理

    应用

    1. Safari and macOS, managed by "keychain access". The each keychain is stored in separated directory. login means the current login user.
    2. Java, keytool 管理,has different location from OS(e.g. /Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home/jre/lib/security/cacerts), so even safari downloaded a Root CA for a website, Java may still not work.  
      1. keytool -list -keystore cacerts
    3. Python: 
      1. public certs stored in certifi module ([py_home]/site-packages/certifi/cacert.pem), then all python modules relying on certifi (e.g. requests) could load certs for ssl verification 
      2. However, pip is a standalone package that contains its own requests/certifi module and public cert storage.  One solution is to wrap original certifi.where() and pip._vendor.requests.certs.where() method to force return path ‘/etc/pki/tls/cert.pem’. Make sure all certs are store in it.
    4. CN name: https://security.stackexchange.com/questions/40026/openssl-x509-whats-the-significance-of-cn-common-name
    5. curl, use curl -v to see with cacert it is using, maybe /etc/ssl/cacert.pem, makeby $HOME/anaconda/ssl/cacert.pem. 
      1. 手动指定使用某个证书来验证网站 curl --cacert mycertificate.cer -v https://www.google.com

    References:

    • cert format,
      • https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
      • https://www.cnblogs.com/guogangj/p/4118605.html
    • https://en.wikipedia.org/wiki/X.509  (X.509 内容说明) , 
      •  PKIX (Public Key Infrastructure X.509)
      •  OCSP (Online Certificate Status Protocol)
    • verify certificate: https://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified
    • Certificate Chain: 
      • https://ssl.comodo.com/articles/understanding-an-ssl-certificate-chain.php
      • https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/

    Root certificate

    • Intermediate certifcate
      • client certificate. In SSL, webserver might need to veifiy the certificate of the client. Usually it doesn't.
  • 相关阅读:
    WebApi集成Grpc客户端
    【Oracle】AWR报告生成
    ora-7445 导致 ora-600 ,oracle数据库 11gR2崩溃
    .NET的并发编程(TPL编程)是什么?
    打算写一些Netty的文章了,先聊聊为什么要学习Netty
    2020实战复盘:如何从0到1搭建数据传输平台产品DTS?
    DevOps,CI,CD,自动化简单介绍
    【python刷题】二叉树递归-非递归遍历-序列-反序列化
    python正则表达式-匹配用符号分割的多个字符串
    用 Flutter 搭建标签+导航框架
  • 原文地址:https://www.cnblogs.com/bob-dong/p/10711884.html
Copyright © 2020-2023  润新知