PKI基础设施

huangapple go评论85阅读模式
英文:

PKI infrastructure

问题

如何使用golang的.x509包简单建立证书链?假设我需要自签名的CA证书和由CA签发的服务器证书。当我使用以下代码时:

x509.CreateCertificate(rand.Reader, &issuer, &issuer, publicKeyIssuer, privateKeyIssuer)

然后再使用以下代码:

x509.CreateCertificate(rand.Reader, &subject, &issuer, publicKeySubject, privateKeyIssuer)

但是它不起作用。证书被创建了,但当服务器将其发送给浏览器时,浏览器无法看到从服务器到CA的路径。

如果我使用openssl为服务器创建证书请求,然后再创建证书,就一切正常:

openssl req -key server.key -new -out server.req -sha256
openssl x509 -req -in server.req -CA ca.crt -CAkey ca.key -out server.crt

我知道有x509.CreateCertificateRequest函数,但我不知道如何将请求与证书的创建关联起来。我做错了什么,或者对x509.CreateCertificate函数了解不够?

英文:

How to establish simply chain using golang .x509 package?
Let say I need self-signed CA certificate and certificate for server issued by CA.
When I use

x509.CreateCertificate(rand.Reader, &issuer, &issuer, publicKeyIssuer, privateKeyIssuer)

then

x509.CreateCertificate(rand.Reader, &subject, &issuer, publicKeySubject, privateKeyIssuer)

it doesn't work. Certificate is created and when server sends it to a browser the browser doesn't see path from server to ca.

If I use openssl and create certificate request for server and then certificate then it's all good

openssl req -key server.key -new -out server.req -sha256
openssl x509 -req -in server.req -CA ca.crt -CAkey ca.key -out server.crt

I know that there is x509.CreateCertificateReuest but I don't now how to link request with creating of certificate?
What I am doing wrong or may be don't now much about x509.CreateCertificate?

答案1

得分: 1

在提问之前,我需要了解的内容是:http://www.oasis-pki.org/pdfs/Understanding_Path_construction-DS2.pdf

CA证书中的主题(Subject)和服务器证书中的颁发者(Issuer)的DN名称必须相同。但是主题和颁发者的DN名称不能相等。DN构成了颁发者和主题之间的链接。

在我的情况下,我只使用了O=Organization字段:

ca := x509.Certificate{
    Subject: pkix.Name{
        Organization: []string{"O"},
    }
}
server := x509.Certificate{
    Subject: pkix.Name{
        Organization: []string{"O"},
    }
}

颁发者和主题的DN是相同的。这就是为什么浏览器无法找到路径。可以简单地向pkix添加更多信息,例如CommonName,以使DN唯一。

ca := x509.Certificate{
    Subject: pkix.Name{
        CommonName:   []string{"CA"},
        Organization: []string{"XUnit"},
    }
}
server := x509.Certificate{
    Subject: pkix.Name{
        CommonName:   []string{"server"},
        Organization: []string{"XUnit"},
    }
}
英文:

What I had to know before ask question <http://www.oasis-pki.org/pdfs/Understanding_Path_construction-DS2.pdf>

DN names (Subject in CA certificate and Issuer in server certificate) must be the same. But DN names of subject and issuer must no be equal. DN's make up the link between Issuer and Subject.

In my case I used only O=Organization filed in

ca := x509.Certificate{
    Subject: pkix.Name{
				Organization: []string{&quot;O&quot;},
			}
}
server := x509.Certificate{
    Subject: pkix.Name{
				Organization: []string{&quot;O&quot;},
			}
}

DN's are the same for the issuer and for the subject.That is why browser can't find path. It is simply to add more info to pkix, for example, CommonName. It will make the DN unique.

ca := x509.Certificate{
    Subject: pkix.Name{
                CommonName:   []string{&quot;CA&quot;},
				Organization: []string{&quot;XUnit&quot;},
			}
}
server := x509.Certificate{
    Subject: pkix.Name{
                CommonName:   []string{&quot;server&quot;},
				Organization: []string{&quot;XUnit&quot;},
			}
}

huangapple
  • 本文由 发表于 2016年1月21日 00:15:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/34905063.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定