CA

CA

关注
发信
关注(28)粉丝(399)

证书基本约束的路径长度

本文介绍了证书基本约束的路径长度的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

对于CA类型的基本约束,路径长度为0和无相同的东西吗?为了说明,路径长度为0意味着CA可以不发出证书,而路径长度为none意味着它可以发出无限量的证书?

Is having a Path Length of 0 and None the same thing for Basic Constraint's of a CA type? To clarify, does a path length of 0 mean that the CA can issue no certificates while a path length of none mean that it can issue an infinite amount of certificates?

推荐答案

取自,第4.2.1.9节:

Taken from RFC 5280, section 4.2.1.9:

a pathLenConstraint of 0仍允许CA颁发证书,但这些证书必须是终端实体证书(BasicConstraints中的CA标志为false - 这些是正常颁发给人或组织的证书)。

I.e. a pathLenConstraintof 0 does still allow the CA to issue certificates, but these certificates must be end-entity-certificates (the CA flag in BasicConstraints is false - these are the "normal" certificates that are issued to people or organizations).

这也意味着使用此证书,CA不得颁发中间CA证书(CA标志再次为真 - 这些证书可能会发出更多证书,从而将 pathLen 增加1)。

It also implies that with this certificate, the CA must not issue intermediate CA certificates (where the CA flag is true again - these are certificates that could potentially issue further certificates, thereby increasing the pathLen by 1).

另一方面,缺少 pathLenConstraint 意味着考虑到从将导致我们的示例CA证书的终端实体证书。这意味着CA可以为子CA颁发中间证书,该子CA可以再次发出中间证书,该子CA可以再次...直到最后一个子CA将发布终端实体证书。

An absent pathLenConstraint on the other hand means that there is no limitation considering the length of certificate paths built from an end-entity certificate that would lead up to our example CA certificate. This implies that the CA could issue a intermediate certificate for a sub CA, this sub CA could again issue an intermediate certificate, this sub CA could again... until finally one sub CA would issue an end-entity certificate.

如果给定CA证书的 pathLenConstraint 大于0,那么它表示可能的中间CA证书的数量在从终端实体证书直到CA证书构建的路径中。假设CA X有一个 pathLenConstraint 为2,终端实体证书被发布到EE。然后,以下情况有效(我表示中间CA证书)

If the pathLenConstraintof a given CA certificate is > 0, then it expresses the number of possible intermediate CA certificates in a path built from an end-entity certificate up to the CA certificate. Let's say CA X has a pathLenConstraint of 2, the end-entity certificate is issued to EE. Then the following scenarios are valid (I denoting an intermediate CA certificate)

X - EE
X - I1 - EE
X - I1 - I2 - EE

不是

X - I1 - I2 - I3 - EE
...

这篇关于证书基本约束的路径长度的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-19 14:52
Powered by LMLPHP ©2024 CA 0.004782