您如何验证数字证书SSL?
[英]how do you validate the digital certificate SSL?
问题描述
how do you validate the digital certificate SSL? 
您如何验证数字证书SSL? so that you know the response came from the correct website? 以便您知道响应来自正确的网站?
1 个解决方案
解决方案1
0 已采纳 2011-01-12 07:24:50
The procedure of certificate validation is described in RFC 5280 and several supplementary standards. RFC 5280和一些补充标准中描述了证书验证的过程。 It is quite complex and depends on what tools / libraries / components you plan to use. 它非常复杂,取决于您计划使用的工具/库/组件。
In brief the steps are: 简而言之,步骤是:
- Find CA Certificate. 查找CA证书。 If it's missing, you are out of luck in validation. 如果丢失,那么您将无法通过验证。 If the certificate is self-signed, the user should decide if he can trust this certificate. 如果证书是自签名的,则用户应决定他是否可以信任此证书。
- check that the certificate has been issued to the site you are connecting to (by inspecting Subject field and Subject Alternative Name extension) 检查证书是否已颁发给您要连接的站点(通过检查“主题”字段和“主题备用名称”扩展名)
- check that the certificate could be used for SSL (inspect Key Usage field) 检查证书可以用于SSL(检查密钥使用字段)
- check that the certificate has not been revoked using CRLs and OCSP responder. 检查证书是否尚未使用CRL和OCSP响应程序吊销。
- if all of the above is ok, validate CA Certificate in a similar manner. 如果上述所有方法都可以,请以类似方式验证CA证书。 Repeat until you get up to the trusted certificate (it can be a trusted root or previously trusted CA). 重复直到获得可信证书(它可以是可信根或以前可信的CA)。
We implemented complete and flexible certificate validator which does all of the above in our SecureBlackbox library. 我们实现了完整而灵活的证书验证器,该验证器在SecureBlackbox库中完成了上述所有操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.