英文:
Can I create my own root certificate to use for an SSL connection with Go? Is this safe?
问题
我正在使用Go编写一个简单的客户端和服务器。我不想为SSL证书付费,并且我已经了解到自签名证书对于证明身份是无用的,因为攻击者可以进行中间人攻击并提供自己的自签名证书。
然而,我了解到我可以让我的客户端使用任何我想要的根证书。我可以创建自己的根证书,让客户端信任它,为我的服务器签发一个证书,然后在连接时进行安全连接以防止中间人攻击吗?如果可以,我应该如何创建自己的根证书?
英文:
I'm writing a simple client and server using Go. I don't want to pay for an SSL certificate, and I've read that self-signed certificates are useless for proving identity since an attacker could just MITM and provide his own self-signed certificate.
However, I've learned that I can have my client use whatever root certificates I want. Can I just create my own, have the client trust that, sign a certificate for my server, and connect securely while being protected from MITM attacks? If so, how do I create my own root certificate?
答案1
得分: 4
自签名证书是部署自己的PKI的特殊情况(将其推到极限,只有一个证书在该PKI中)。
只要客户端能够使用事先知道的信任锚点(证书)验证服务器证书(并且已经以可信的方式配置了它们),两者都可以用于防止中间人攻击。
您可以创建自己的CA并配置客户端使用其根CA证书,或者如果您只有一组非常有限的服务器,通常可以配置客户端直接信任特定的证书(自签名或非自签名)。
您可能对以下问题中的工具链接感兴趣:
- https://stackoverflow.com/questions/11557604/solutions-to-sign-certificates
- Linux证书管理工具的推荐
- OpenSSL的CA.pl(有用,但可能缺乏通用管理界面)
一旦您理解了基本原理,技术方面并不一定困难,但真正困难的部分在于CA的管理。
英文:
A self-signed certificate is a special case of deploying your own PKI (pushed to the extreme where you only have one certificate in that PKI).
Both can be used to prevent MITM attacks, provided that the client can verify the server certificate using trust anchors (certificates) it knows in advance (and has been configured with them in a trusted manner).
You can create your own CA and configure your client to use its root CA certificate or, if you only have a very limited set of servers, you can usually configure clients to trust a specific certificate directly (self-signed or not).
You may be interested in these questions for links to tools:
- https://stackoverflow.com/questions/11557604/solutions-to-sign-certificates
- Recommendations for a Certificate Management tool for Linux
- OpenSSL's CA.pl (useful, but may lack general management interfaces)
Once you've understood the basic principles, the technical aspects are not necessarily difficult, but part of the real difficulty is in the administration of your CA.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论