当我为内部 CA 构建自签名证书时,我是否应该使颁发者 DN 与请求中的 DN 匹配,它们是否应该不同,或者对其中一个或另一个没有约定?
答案1
Self-issued certificates are CA certificates in which the issuer and subject are the same entity. Self-issued certificates are generated to support changes in policy or operations. Self- signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate. Self-signed certificates are used to convey a public key for use to begin certification paths.
所以是的,根据定义,由于自签名证书是特定的自颁发证书,其颁发者 DN 必须与其主题 DN 匹配。
(此主题 DN 是否需要包含在 CSR 中是另一回事,因为 (a) CA 在将 CSR 转换为证书时没有义务保留准确的主题 DN(事实上,他们应该通过其他方式检查放入证书中的所有内容)和 (b) 将 CSR 转换为自签名证书的步骤更多地与如何openssl使用以及如何配置有关。这实际上只是一个细节。)
您是否希望自己的 CA 是自签名的还是自颁发的,由您自己选择。这样做通常是有意义的(至少是为了清晰起见)。原则上,远程方用作信任锚的 CA 证书不必是自签名的(请参阅第 6 节):
The selection of a trust anchor is a matter of policy: it could be the top CA in a hierarchical PKI, the CA that issued the verifier's own certificate(s), or any other CA in a network PKI. The path validation procedure is the same regardless of the choice of trust anchor.