证书spec, X509, 类似规定了一个目录结构。其中重要内容包括
- issuer: who isued this certificate
- subject: the ID of this certificate
- public key:
- validate period
- sign: the sha of this certificate, encritpted with the issuer's private key. (This is the mechanism how to verify the certificate)
- in extention, other there is a link to get certificate of issuer.
DN (distingushed name)
- include C(country), ST(state), O(organization), OU(部门,可以多个), CN(common name)
- both Issuer and Subject are DN.
Certificate formate
- PEM, base64 encoded DER file, easy to be edited
- DER, CER, CRT. same, DER, Distinguished Encoding Rules. openssl -inform der -in a.cert -text -noout
- P12. Windows specific, contails both public key and private key. So the file itself should be encriypted.
- p7b, p7c. CRL (certificate revocation list) 常用于证书吊销文件,不包括key
- JKS. Java Key storage(Java 专利)利用 keytool 管理
应用
- Safari and macOS, managed by "keychain access". The each keychain is stored in separated directory. login means the current login user.
- Java, keytool 管理,has different location from OS(e.g. /Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home/jre/lib/security/cacerts), so even safari downloaded a Root CA for a website, Java may still not work.
- keytool -list -keystore cacerts
- Python:
- public certs stored in certifi module ([py_home]/site-packages/certifi/cacert.pem), then all python modules relying on certifi (e.g. requests) could load certs for ssl verification
- However, pip is a standalone package that contains its own requests/certifi module and public cert storage. One solution is to wrap original certifi.where() and pip._vendor.requests.certs.where() method to force return path ‘/etc/pki/tls/cert.pem’. Make sure all certs are store in it.
- CN name: https://security.stackexchange.com/questions/40026/openssl-x509-whats-the-significance-of-cn-common-name
- curl, use curl -v to see with cacert it is using, maybe /etc/ssl/cacert.pem, makeby $HOME/anaconda/ssl/cacert.pem.
- 手动指定使用某个证书来验证网站 curl --cacert mycertificate.cer -v https://www.google.com
References:
- cert format,
- https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
- https://www.cnblogs.com/guogangj/p/4118605.html
- https://en.wikipedia.org/wiki/X.509 (X.509 内容说明) ,
- PKIX (Public Key Infrastructure X.509)
- OCSP (Online Certificate Status Protocol)
- verify certificate: https://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified
- Certificate Chain:
- https://ssl.comodo.com/articles/understanding-an-ssl-certificate-chain.php
- https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/
Root certificate
- Intermediate certifcate
- client certificate. In SSL, webserver might need to veifiy the certificate of the client. Usually it doesn't.