我是否需要按顺序导入SSL链?

时间:2018-09-19 07:32:16

标签: ssl ssl-certificate x509certificate truststore

我有一个由中间CA签署的SSL证书,然后由根CA签署了中间CA证书。 我需要将这些证书导入我的信任库才能访问此服务。

我的问题是-导入这些证书是否需要遵循任何特定的顺序。

例如,首先导入SSL证书,然后导入中间CA证书,然后再导入根CA证书

或者我可以按任何顺序导入证书,并确信它会起作用。

问题的第二部分-何时进行PKIX路径构建,它是否关心证书在信任库中的顺序。

1 个答案:

答案 0 :(得分:0)

No, the order of the certificates in the truststore is irrelevant.

When the certification chain presented by the server is validated, the client searches for a match in the truststore, starting with the final certificate up to the root. Each certificate is validated using the public key of the upper certificate until a match with the truststore is found. There is a match when the certificate itself is present or its immediate superior (The certificate has been digitally signed by the upper certificate).

Therefore the order does not matter because the digital signature of each certificate in the chain is going to be validated