1

我从 GeoTrust 购买了 SSL 证书。

在检查不同设备上的证书链时,我发现了两个不同的链。两条链都有效!

在 Root-CA C=US, O=Equifax, OU=Equifax Secure Certificate Authority的链上,另一个在 Root-CA C=US, O=GeoTrust Inc., CN=GeoTrust Global CA中。

这些链之间的不同之处在于第一个链“GeoTrust Global CA”由“Equifax Secure Certificate Authority”签名,而第二个“GeoTrust Global CA”是自签名的。但在两条链中,“GeoTrust Global CA”的指纹都是“C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA: CC:4E",只有序列号不同。

这怎么可能?我认为 ssl 证书,它们的指纹和证书是独一无二的!

链 1)

1a) C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA sign by C=US, O=GeoTrust Inc., CN=GeoTrust Global CA

Data:
    Version: 3 (0x2)
    Serial Number: 145106 (0x236d2)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
    Validity
        Not Before: Feb 26 21:32:31 2010 GMT
        Not After : Feb 25 21:32:31 2020 GMT
    Subject: C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA
    X509v3 extensions:
        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
        X509v3 Subject Key Identifier:
            8C:F4:D9:93:0A:47:BC:00:A0:4A:CE:4B:75:6E:A0:B6:B0:B2:7E:FC
        X509v3 Authority Key Identifier:
            keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E

1b) C=US, O=GeoTrust Inc., CN=GeoTrust Global CA sign by C=US, O=Equifax, OU=Equifax Secure Certificate Authority

Data:
    Version: 3 (0x2)
    Serial Number: 1227750 (0x12bbe6)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
    Validity
        Not Before: May 21 04:00:00 2002 GMT
        Not After : Aug 21 04:00:00 2018 GMT
    Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
    X509v3 extensions:
        X509v3 Authority Key Identifier:
            keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

        X509v3 Subject Key Identifier:
            C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
        X509v3 Basic Constraints: critical
            CA:TRUE

1c) 根-CA C=US, O=Equifax, OU=Equifax 安全证书颁发机构

Data:
    Version: 3 (0x2)
    Serial Number: 903804111 (0x35def4cf)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
    Validity
        Not Before: Aug 22 16:41:51 1998 GMT
        Not After : Aug 22 16:41:51 2018 GMT
    Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
    X509v3 extensions:
        X509v3 Private Key Usage Period:
            Not After: Aug 22 16:41:51 2018 GMT
        X509v3 Key Usage:
            Certificate Sign, CRL Sign
        X509v3 Authority Key Identifier:
            keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

        X509v3 Subject Key Identifier:
            48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

链 2)

2a) C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA sign by C=US, O=GeoTrust Inc., CN=GeoTrust Global CA

Data:
    Version: 3 (0x2)
    Serial Number: 145106 (0x236d2)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
    Validity
        Not Before: Feb 26 21:32:31 2010 GMT
        Not After : Feb 25 21:32:31 2020 GMT
    Subject: C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA
    X509v3 extensions:
        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
        X509v3 Subject Key Identifier:
            8C:F4:D9:93:0A:47:BC:00:A0:4A:CE:4B:75:6E:A0:B6:B0:B2:7E:FC
        X509v3 Authority Key Identifier:
            keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E

2b) 根 CA C=US, O=GeoTrust Inc., CN=GeoTrust Global CA

Data:
    Version: 3 (0x2)
    Serial Number: 144470 (0x23456)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
    Validity
        Not Before: May 21 04:00:00 2002 GMT
        Not After : May 21 04:00:00 2022 GMT
    Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
    X509v3 extensions:
        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Subject Key Identifier:
            C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
        X509v3 Authority Key Identifier:
            keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
4

1 回答 1

4

1b是“交叉证书”;由 Equifax 颁发的 Geotrust 根证书。2b 是相同的密钥,但是是一个自签名的根。

交叉证书通常用于在根证书被 Mozilla/Microsoft/etc 根程序接受之前使根证书受信任。当根被这些程序接受时,它可以用作普通的自签名证书。

于 2012-05-21T10:53:50.267 回答