堆栈内存溢出
  简体   繁体   English

SSL为什么不通过自己的CA启用Apache?

[英]Why not SSL enable Apache with own CA?

 原文  2017-08-29 23:36:18       ssl/ certificate/ authority

问题描述

I purchased a domain name. 我购买了一个域名。 I set up a website that is deployed on Apache, that is accessible at my domain, currently on http protocol "port 80". 我建立了一个部署在Apache上的网站,该网站可以在我的域中访问,当前在http协议“端口80”上。 I now want to configure this Apache server for SSL. 我现在想为此Apache服务器配置SSL。 I'm evaluating the below 2 options. 我正在评估以下2个选项。

Option #1: I create the "Certificate Signing Request" (CSR), then while acting as the CA, I create the certificate based on the CSR, I then configure Apache to be running on port 443, with the certificate I created. 选项#1:创建“证书签名请求”(CSR),然后在充当CA的同时,创建基于CSR的证书,然后将Apache创建的证书配置为在端口443上运行。

Option #2: I create the CSR, I submit my CSR to a widely known CA like Symantec to get a certificate. 选项2:我创建CSR,然后将CSR提交给Symantec等广为人知的CA以获得证书。 I then configure Apache to be running on port 443, with the certificate provided by Symantec. 然后,我使用Symantec提供的证书将Apache配置为在端口443上运行。

What are the downfalls to option #1? 选项1的缺点是什么?

From an end-user perspective "someone accessing my site", what indications would they have that I used option #1? 从最终用户“有人访问我的网站”的角度来看,他们有什么迹象表明我使用了选项1?

Is it correct to assume, with option #1, that I couldn't get end-users accessing my site to get a green bar menu? 使用选项#1假设我无法让最终用户访问我的网站以获得绿色栏菜单是否正确?

1 个解决方案

解决方案1
 0 已采纳  2017-08-29 23:53:26

With option 1 the end user has no confidence they are not being spoofed. 使用选项1,最终用户无法确定自己没有被欺骗。 Because you are acting as your own CA the end user has to make a decision about whether to trust you. 由于您是自己的CA,因此最终用户必须决定是否信任您。 If they do - they may well be trusting someone who has intercepted your request and used their own certificate. 如果他们这样做,他们很可能会信任已经拦截了您的请求并使用了自己的证书的人。

With option 2 the user is trusting the CA that provided your certificate and can be more confident that no man-in-the-middle attack is taking place. 使用选项2时,用户将信任提供您证书的CA,并且可以更加确信没有发生中间人攻击。

For some purposes your own self-signed cert can be fine. 出于某些目的,您自己的自签名证书也可以。 Not for any real ecommerce though. 不适用于任何真正的电子商务。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 由自己的CA签名的有效SSL证书 - Valid SSL certificate signed by own CA Spring Boot - 使用 CA 证书启用 SSL (HTTPS) - Spring Boot - Enable SSL (HTTPS) with CA certificate 我自己的CA与Apache颁发的客户端证书 - client certificates issued by my own CA with Apache 如何在 Apache Airflow 上启用 SSL? - How to enable SSL on Apache Airflow? 使用来自CA的SSL证书启用Springboot 2.0 https - Springboot 2.0 https enable with SSL certificate from CA 带有证书固定功能的移动应用-DMZ盒子上的SSL证书具有受信任的CA与我自己的CA - Mobile App with Cert Pinning - SSL Cert on DMZ box with trusted CA vs my own CA 使用Apache的双向SSL身份验证-CA证书 - Two-way SSL authentication with Apache - CA certificate Apache HttpClient使用自己的SSL证书 - Apache HttpClient use own SSL-certificates 启用S​​SL后,Apache不会重启 - Apache wont restart after I enable SSL 如何启用ssl_module Apache - how to enable ssl_module apache
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM