证书spec, X509, 类似规定了一个目录结构。其中重要内容包括

  • issuer: who isued this certificate
  • subject: the ID of this certificate
  • public key:
  • validate period
  • sign: the sha of this certificate, encritpted with the issuer's private key. (This is the mechanism how to verify the certificate)
  • in extention, other there is a link to get certificate of issuer.

DN (distingushed name)

  • include C(country), ST(state), O(organization), OU(部门,可以多个), CN(common name)
  • both Issuer and Subject are DN.

Certificate formate

  • PEM, base64 encoded DER file, easy to be edited
  • DER, CER, CRT.  same, DER, Distinguished Encoding Rules. openssl -inform der -in a.cert -text -noout
  • P12. Windows specific, contails both public key and private key. So the file itself should be encriypted.
  • p7b, p7c. CRL (certificate revocation list) 常用于证书吊销文件,不包括key
  • JKS. Java Key storage(Java 专利)利用 keytool 管理

应用

  1. Safari and macOS, managed by "keychain access". The each keychain is stored in separated directory. login means the current login user.
  2. Java, keytool 管理,has different location from OS(e.g. /Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home/jre/lib/security/cacerts), so even safari downloaded a Root CA for a website, Java may still not work.  
    1. keytool -list -keystore cacerts
  3. Python: 
    1. public certs stored in certifi module ([py_home]/site-packages/certifi/cacert.pem), then all python modules relying on certifi (e.g. requests) could load certs for ssl verification
    2. However, pip is a standalone package that contains its own requests/certifi module and public cert storage.  One solution is to wrap original certifi.where() and pip._vendor.requests.certs.where() method to force return path ‘/etc/pki/tls/cert.pem’. Make sure all certs are store in it.
  4. CN name: https://security.stackexchange.com/questions/40026/openssl-x509-whats-the-significance-of-cn-common-name
  5. curl, use curl -v to see with cacert it is using, maybe /etc/ssl/cacert.pem, makeby $HOME/anaconda/ssl/cacert.pem. 
    1. 手动指定使用某个证书来验证网站 curl --cacert mycertificate.cer -v https://www.google.com

References:

  • cert format,

    • https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
    • https://www.cnblogs.com/guogangj/p/4118605.html
  • https://en.wikipedia.org/wiki/X.509  (X.509 内容说明) , 
    •  PKIX (Public Key Infrastructure X.509)
    •  OCSP (Online Certificate Status Protocol)
  • verify certificate: https://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified
  • Certificate Chain: 
    • https://ssl.comodo.com/articles/understanding-an-ssl-certificate-chain.php
    • https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/

Root certificate

  • Intermediate certifcate

    • client certificate. In SSL, webserver might need to veifiy the certificate of the client. Usually it doesn't.

About certificate的更多相关文章

  1. 钉钉开放平台demo调试异常问题解决:hostname in certificate didn't match

    今天研究钉钉的开放平台,结果一个demo整了半天,这帮助系统写的也很难懂.遇到两个问题: 1.首先是执行demo时报unable to find valid certification path to ...

  2. 异常处理之“The remote certificate is invalid according to the validation praocedure.”

    参考文章:http://brainof-dave.blogspot.com.au/2008/08/remote-certificate-is-invalid-according.html 参考文章:h ...

  3. The certificate used to sign ***has either expired or has been revoked. An updated certificate is required to sign and install the application

    真机测试的时候弹出这样的提示:The certificate used to sign ***has either expired or has been revoked. An updated ce ...

  4. Domino----The Address Book does not contain a cross certificate capable of validating the public key.

    The Address Book does not contain a cross certificate capable of validating the public key. 地址本不包含交叉 ...

  5. Your account already has a valid iOS Distribution certificate!

    iOS 发布提交出现:Your account already has a valid iOS Distribution certificate!问题解决 转载的链接   http://www.jia ...

  6. configure Git to accept a particular self-signed server certificate for a particular https remote

    get the self signed certificate put it into some (e.g. ~/git-certs/cert.pem) file set git to trust t ...

  7. [nodejs] Error: unable to verify the first certificate

    Error: unable to verify the first certificate Solution npm config set registry http://registry.npmjs ...

  8. Rails 之微信开发 : OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

    微信公众平台,使用Ruby On Rails + Win7 在取得OpenID时,如果简单的使用http.get方法,会出现如下 SSL_connect returned=1 errno=0 stat ...

  9. Fiddler 手机端证书安装No root certificate was found

    测试过程中发现在浏览器中访问代理服务器及端口,不通,提示要安装证书. 点击证书安装时,提示错误: No root certificate was found,Have you enabled HTTP ...

  10. 关于Certificate、Provisioning Profile、App ID的介绍及其之间的关系

    1.概念介绍 如果你拥有一个开发者账户的话,在iOS Dev Center打开Certificates, Indentifiers & Profiles,你就可以看到如下的列表: Profil ...

随机推荐

  1. MyBatis 配制文件层次表

  2. 初探LaTeX

    第一次使用LaTeX 步骤  1 安装LaTeX 通过官网http://www.tug.org/mactex/mactex-download.html下载Mac版LaTeX. 安装成功后会出现 步骤 ...

  3. 拾遗----javascript一些实用方法

    1. join() join() 方法用于把数组中的所有元素放入一个字符串.元素是通过指定的分隔符进行分隔的. var ids = [];                 for(var i = 0 ...

  4. [Go] 开始试探一门新语言的五点思考 - Golang

    1.如果在其他语言环境中写的代码很烂,那么换一门语言很可能情况更糟,因为是涉及到基本功.工程能力和心思逻辑. 2.一定要了解语言解决的问题(比如:多核并发机制性能高.省机器.简洁易学.资料少),优势是 ...

  5. 基于Keepalived的MySQL高可用

    keepalived负责的是故障转移,至于故障转以后的节点之间数据的一致性问题依赖于具体的复制模式.不管是主从.一主多从还是双主.集群节点个数.主从具体的模式无关(常规复制,半同步复制,GTID复制, ...

  6. Java Script 简介

    Java Script 简介 JavaScript 是世界上最流行的编程语言. 这门语言可用于 HTML 和 web,更可广泛用于服务器.PC.笔记本电脑.平板电脑和智能手机等设备.JavaScrip ...

  7. centos7 tomcat8+jdk1.8

    (1) 下载Tomcat8压缩包进入 http://tomcat.apache.org/download-80.cgi 在binary Distributions下面,选择tar.gz包下载 [tar ...

  8. Codeforces Round #491 (Div. 2)

    Codeforces Round #491 (Div. 2) https://codeforces.com/contest/991 A #include<bits/stdc++.h> us ...

  9. 微信小程序开发——点击防重的解决方案

    对于一些涉及后端接口请求的单击事件,不论后端是否做了请求限制,前端还是有必要进行点击防重处理的. 这样既能减少对服务器端的压力,也能有效防止因重复请求而造成一些不可预期的异常. 尤其是接口请求结果处理 ...

  10. 微信小程序开发——使用mock数据模拟api请求

    前言: 微信小程序开发中,后端提供了接口设计文档,前端可以先mock数据模拟api请求进行开发调试,而且可以根据需要设计mock文件的格式和内容,这样在后端接口开发完成之前,前端可以最大限度的完成前端 ...