当我为内部CA构build自签名证书时,是否应该使发布者DN与请求中的DN匹配,是否应该不同,还是没有任何约定?
以下是RFC 5280(Setion 3.2)中的定义:
Self-issued certificates are CA certificates in which the issuer and subject are the same entity. Self-issued certificates are generated to support changes in policy or operations. Self- signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate. Self-signed certificates are used to convey a public key for use to begin certification paths.
因此,根据定义,是的,因为自签名证书是特定的自发证书,所以其颁发者DN必须匹配其主题DN。
(这个主题DN是否需要在CSR中是另外一回事,因为(a)在把CSR变成证书时,CA没有义务保留确切的Subject DN(实际上他们应该检查他们放入的所有东西(另一种方式是证书)和(b)把CSR变成自签证书的步骤更多的是关于如何使用openssl以及如何configuration它,这只是一个细节。
无论您希望您自己的CA是自签还是自签发,都可供您select。 这样做通常是有道理的(至less为了清晰起见)。 原则上,由远程方用作信任锚的CA证书不必自签名(请参阅第6节):
The selection of a trust anchor is a matter of policy: it could be the top CA in a hierarchical PKI, the CA that issued the verifier's own certificate(s), or any other CA in a network PKI. The path validation procedure is the same regardless of the choice of trust anchor.