堆栈内存溢出
  简体   繁体   English

我自己为我拥有SSL证书的域的子域发布SSL证书

[英]Issuing SSL certificates myself for subdomains of a domain I have an SSL cert for

 原文  2012-05-28 16:02:21       ssl/ openssl/ certificate/ ssl-certificate

问题描述

I guess it can't be done, but if so, I'd like to know why. 我想这不可能,但如果是这样,我想知道为什么。

Let's say I get an SSL certificate for example.com from one of the official certificate authorities around. 假设我从其中一个官方证书颁发机构获得了example.com的SSL证书。 Let's also say I'm running a.example.com and bcdexample.com and would like to have SSL certificates for those as well. 我们还说我正在运行a.example.com和bcdexample.com,并希望为这些人提供SSL证书。

Can I use the example.com certificate to issue certificates for a.example.com and bcdexample.com myself? 我可以使用example.com证书自己为a.example.com和bcdexample.com颁发证书吗? And will they be recognized by users' browsers? 它们会被用户的浏览器识别吗? If not, why not? 如果没有,为什么不呢?

(My guess that it can't be done is because it would break the very lucrative wildcard cert business model, wouldn't it?) (我猜这不可能是因为它会破坏非常有利可图的通配符证书业务模式,不是吗?)

Clarification: can't I act as a "self-signed" certificate authority using the keypair for which I obtained the official cert, and simply add my official cert in the validation chain? 澄清:我不能使用我获得官方证书的密钥对作为“自签名”证书颁发机构,只需在验证链中添加我的官方证书吗?

2 个解决方案

解决方案1
 3 已采纳  2012-05-28 16:10:53

You cannot use Your certificate to issue other certificates, because the purposes of the certificate are encoded in Your certificate and "Certificate Authority" is certainly not included in that list. 您不能使用您的证书颁发其他证书,因为证书的目的是在您的证书中编码,“证书颁发机构”当然不包含在该列表中。

Web browsers check the "certificate chain" beginning from Your certificate, the certificate that was used to sign it, the signer of that certificate etc. Web浏览器检查从您的证书开始的“证书链”,用于签名的证书,该证书的签名者等。

Your certificate must match the current use case (mostly "identify web site") and all signing certificates must include the "Certificate Authority" flag. 您的证书必须与当前用例(主要是“识别网站”)匹配,并且所有签名证书必须包含“证书颁发机构”标志。 The last certificate must be known to the browser (root cert). 浏览器必须知道最后一个证书(根证书)。

As You already guess, wildcard certificates might help in Your case. 正如您已经猜到的,通配符证书可能对您的情况有所帮助。

解决方案2
 1  2012-05-28 16:09:22

You're correct, you cannot issue certificates from a certificate . 你是对的,你不能从certificate You need a Certificate Authority to issue certificates. 您需要证书颁发机构来颁发证书。

The whole point of a Certificate Authority is that they are a trusted 3rd party. 证书颁发机构的重点是他们是值得信赖的第三方。 CA's like Verisign are trusted by default by most browsers so that you dont have to manually accept certificates from them. 大多数浏览器默认情况下CA都像Verisign一样受信任,因此您无需手动接受来自它们的证书。 They have what is termed a trusted root certificate . 他们拥有所谓的受信任的根证书

If you create your own Certificate Authority and start dishing out certificates, web browsers will not know you and hance not trust you. 如果您创建自己的证书颁发机构并开始提供证书,Web浏览器将不会了解您并且不会信任您。 The user will be prompted. 将提示用户。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我可以自己获得一个中级证书来为自己的域签名SSL证书吗? - Can I get an Intermediate Certificate to sign SSL Certificates for my own domain myself? 域(包括子域)的SSL - SSL for domain, including subdomains 是否有一个只转发到另一个域的域的SSL证书? - Is it necessary to have an SSL cert for a domain that just forwards to another domain? 我可以有2个具有相同SSL证书的子域吗? - Can I have 2 subdomains with same ssl certificate 主域上的EV SSL,子域上的通配符SSL - EV SSL on main domain and Wildcard SSL for subdomains 域名自动定向到HTTPS而不是HTTP我没有SSL证书 - Domain name automatically directing to HTTPS instead of HTTP i have no SSL cert 如何在不设置 SSL 证书的情况下从 an.app 域(需要 SSL)重定向到具有现有 SSL 证书设置的域? - How can I redirect from an .app domain (which requires SSL) without setting up SSL cert to a domain with existing SSL cert setup? LetsEncrypt SSL证书具有多个域和多个子域 - LetsEncrypt SSL Certificates with multi domains and multi subdomains Amazon EC2 上子域的通配符 SSL 证书 - Wildcard SSL Certificates for Subdomains on Amazon EC2 我可以在子域上使用通配ssl证书,而在域上使用基本ssl证书吗? - Can I use wildcard ssl cert on subdomain while using basic ssl cert on domain?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM