有人知道常规x509v3证书与安全设备身份证书之间的区别吗?我知道,对于设备身份证书,他们确实限制了您可以用于某些字段的内容(签名算法与到期时间一起考虑),subjectName对于设备是唯一的,但还有什么不同。假设我要生成如下证书:
$ openssl ecparam -out priv_key.pem -name secp384r1 -genkey
$ openssl req -new -key priv_key.pem -x509 -nodes -out cert.pem
然后我的证书看起来像这样:
$ openssl x509 -text -noout -in cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
86:d6:c2:8f:d0:66:0f:ba
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Validity
Not Before: Jul 1 16:15:55 2015 GMT
Not After : Jul 31 16:15:55 2015 GMT
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:d3:05:98:9b:61:1e:91:22:5b:84:92:6f:09:d9:
ce:5b:cf:28:de:aa:2f:21:89:5f:95:92:48:7a:b9:
b1:13:84:21:bc:83:31:9c:45:63:c5:65:d6:80:79:
f8:53:40:55:c0:10:4a:0d:44:fb:a9:2f:de:2f:c7:
ea:44:d0:3f:88:05:0c:35:06:b8:f6:b9:e6:25:53:
f2:05:67:76:df:20:55:76:f8:be:8e:e8:9b:45:19:
e4:dc:9e:cf:62:d8:95
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Subject Key Identifier:
26:D0:6D:95:39:B4:08:E9:DD:B1:9C:3F:AD:76:42:61:0C:26:6B:5C
X509v3 Authority Key Identifier:
keyid:26:D0:6D:95:39:B4:08:E9:DD:B1:9C:3F:AD:76:42:61:0C:26:6B:5C
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: ecdsa-with-SHA1
30:65:02:30:09:e6:83:8b:63:f5:e0:00:df:91:92:92:24:b7:
62:bf:74:95:29:50:9d:12:f0:37:6a:7b:68:d6:13:df:86:8b:
b9:d9:b8:ed:9a:30:27:fe:21:2c:40:57:f6:29:93:04:02:31:
00:8a:68:50:23:56:56:8c:62:2d:01:c0:7c:b4:8d:68:11:6b:
80:96:c2:79:80:32:00:f1:16:d1:d0:5e:23:f3:c8:99:b8:86:
05:b1:99:20:04:67:6f:74:94:9e:f5:bc:45
此证书还需要考虑其为安全设备身份证书吗?
答案 0 :(得分:1)
除了这一个之外,没有通用的答案:阅读设备文档。不同的供应商对证书有不同的要求。并且没有像"常规x509v3"这样的术语。证书。一般来说,它们在私人和公共密钥用法上有所不同。阅读文档,您应该找到有关证书要求的信息。
然后我的证书看起来像这样:
这是CA,而不是最终实体证书。 CA证书用于签署其他证书和CRL。