[英]Issuing SSL certificates myself for subdomains of a domain I have an SSL cert for
I guess it can't be done, but if so, I'd like to know why. 我想这不可能,但如果是这样,我想知道为什么。
Let's say I get an SSL certificate for example.com from one of the official certificate authorities around. 假设我从其中一个官方证书颁发机构获得了example.com的SSL证书。 Let's also say I'm running a.example.com and bcdexample.com and would like to have SSL certificates for those as well.
我们还说我正在运行a.example.com和bcdexample.com,并希望为这些人提供SSL证书。
Can I use the example.com certificate to issue certificates for a.example.com and bcdexample.com myself? 我可以使用example.com证书自己为a.example.com和bcdexample.com颁发证书吗? And will they be recognized by users' browsers?
它们会被用户的浏览器识别吗? If not, why not?
如果没有,为什么不呢?
(My guess that it can't be done is because it would break the very lucrative wildcard cert business model, wouldn't it?) (我猜这不可能是因为它会破坏非常有利可图的通配符证书业务模式,不是吗?)
Clarification: can't I act as a "self-signed" certificate authority using the keypair for which I obtained the official cert, and simply add my official cert in the validation chain? 澄清:我不能使用我获得官方证书的密钥对作为“自签名”证书颁发机构,只需在验证链中添加我的官方证书吗?
You cannot use Your certificate to issue other certificates, because the purposes of the certificate are encoded in Your certificate and "Certificate Authority" is certainly not included in that list. 您不能使用您的证书颁发其他证书,因为证书的目的是在您的证书中编码,“证书颁发机构”当然不包含在该列表中。
Web browsers check the "certificate chain" beginning from Your certificate, the certificate that was used to sign it, the signer of that certificate etc. Web浏览器检查从您的证书开始的“证书链”,用于签名的证书,该证书的签名者等。
Your certificate must match the current use case (mostly "identify web site") and all signing certificates must include the "Certificate Authority" flag. 您的证书必须与当前用例(主要是“识别网站”)匹配,并且所有签名证书必须包含“证书颁发机构”标志。 The last certificate must be known to the browser (root cert).
浏览器必须知道最后一个证书(根证书)。
As You already guess, wildcard certificates might help in Your case. 正如您已经猜到的,通配符证书可能对您的情况有所帮助。
You're correct, you cannot issue certificates from a certificate
. 你是对的,你不能从
certificate
。 You need a Certificate Authority to issue certificates. 您需要证书颁发机构来颁发证书。
The whole point of a Certificate Authority is that they are a trusted 3rd party. 证书颁发机构的重点是他们是值得信赖的第三方。 CA's like Verisign are trusted by default by most browsers so that you dont have to manually accept certificates from them.
大多数浏览器默认情况下CA都像Verisign一样受信任,因此您无需手动接受来自它们的证书。 They have what is termed a trusted root certificate .
他们拥有所谓的受信任的根证书 。
If you create your own Certificate Authority and start dishing out certificates, web browsers will not know you and hance not trust you. 如果您创建自己的证书颁发机构并开始提供证书,Web浏览器将不会了解您并且不会信任您。 The user will be prompted.
将提示用户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.