问题描述
我们有一个Web服务,可通过XML文档与供应商交换数据。每个供应商都需要对XML文档进行数字签名,以确保出于审计目的传输的数据的完整性。我不清楚需要从主要的第三方CA购买哪种类型的证书才能满足此要求?代码签名似乎是正确的方法,但是XML没有在任何站点上列出。有人可以为此提供一些指导吗?
We have a web service that exchanges data via XML document with a vendor. Each vendor needs to digitally sign the XML document to ensure the integrity of the data transmitted for audit purposes. I am unclear as to which type of certificate I need to buy from the major third-party CA's to meet this requirement? Code signing seems to be the right approach, but XML is not listed on any of the sites. Can anyone provide some guidance on this?
推荐答案
您需要X.509证书(它们都是X.509证书)其中包括数字签名作为密钥用法字段中的值之一。也称为数字签名证书。
You need an X.509 certificate (they're all X.509 certs) that includes "Digital Signature" as one of the values in the "Key usage" field. Also known as a digital signature cert.
虽然单个X.509证书可以在密钥用法字段中包含许多不同的用途,但是大多数证书颁发机构(CA)仅针对单个或紧密相关的证书颁发证书用法。从和。
While a single X.509 cert can include many different uses in the "Key usage" field, most Certification Authorities (CA) only issue certs for a single or closely related usage. See possible Key usage values from Microsoft and from section 4.2.1.3 of the standard.
大多数所有CA都会向您出售数字签名证书,但它们通常很难找到它们,因为它们不是最畅销的产品(SSL的证书是最畅销的产品)。
Most all CAs will sell you a Digital Signature cert but they're often hard to find since they are not top sellers (the certs for SSL are the big sellers).
这是一个很好地列出它们的CA:
Here's one CA that lists them out nicely: GlobalSign
添加:您没有需要或需要代码签名证书。
Added: You don't want or need a code signing certificate.
此外,您还应检查收件人如何验证您的数字签名以及需要什么信任链。例如,如果您已经与Web服务建立了信任关系,则可以使用自签名证书。
Also, you should check about how the recipient will verify your digital signature and what trust chain, if any is needed. Eg you may be able to use a self-signed certificate if you have already established a trust relationship with the web service.
这篇关于我购买什么证书来签署XML?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!