我们正在尝试部署 REST 服务(服务不会面向互联网)并希望使用 ssl 保护它。为此,我们需要证书,为了让事情变得更容易,我们在安装时创建了一个根 CA。
这是一个好主意吗?使用自签名证书的优缺点是什么?这是一个好习惯吗?
我是这方面的新手,所以如果我问一些愚蠢的事情,请对我温柔!
问问题
4094 次
3 回答
4
使用自签名证书的好处是在开发时可以节省一点钱。缺点是您使编写客户端变得更加困难,或者要求用户单击“可怕的警告”。我真的建议永远不要告诉用户点击 BSW,因为它们是保护用户免受攻击者进行中间人攻击等攻击的关键部分。
看,获得一个简单的真正的单主机证书真的很便宜(每年几美元)。不值得尝试节省这么少的钱。当您要设置私有 CA 并关闭对所有标准 CA 的支持时,这是值得的;这是偏执的,但在高安全性配置中是可以接受的,在这种配置中,分发私有 CA 证书并将其安装在客户端中的痛苦是可以忍受的。但通常购买便宜的证书是最明智的……</p>
于 2013-01-29T15:33:13.587 回答
3
SSL 使用加密作为“机械优势”。本质上,您通过使用受信任的根 CA 来验证服务器是服务器所说的服务器,从而确保证书的真实性。
如果您使用自签名证书,这比用户必须单击警告消息要糟糕得多——这意味着该证书没有为您提供任何保护。可以在中间情况下设置一个人,并使用他们自己的自签名证书冒充您的服务的人。因为没有验证证书本身的信任链,所以客户端无法推断它是否受到中间人的影响。
现在,您可以通过操作自己的根 CA 来恢复此处的安全性。如果您这样做,那么您需要一个受信任的安全通道将根证书传送到您的客户端计算机。不过,从好的方面来说,客户端不需要信任某些第三方 CA(如 Verisign)来验证您的服务。
于 2013-01-30T17:34:39.233 回答
1
The main difference between a self-signed certificate and one issued by a CA is the trust chain. If you sign your own certificate then when you or others use it they will have to specifically trust the server you signed the certificate with. The way to do this is to add the certificate to your list of "trusted CA roots" in your browser (i.e. Firefox, or Microsoft's CAPI store for MSIE or Chrome), or your cacerts file for Java applications. Otherwise your self-signed certificate won't be trusted and you will get a "warning" or error message depending on how strict your security settings are in that environment (i.e. Java or your specific browser).
With a certificate that is signed by a CA you won't get that warning if either the CA that signed the certificate, or the CA's trusted Root (the one that signed that CA's certificate), is already in your relevant truststore (i.e. browser or cacerts file for Java). Microsoft and Oracle (for Java) are constantly updating trusted CA's and managing CRLs (Certificate Revocation Lists), for CA's or authorities that have been compromised or revoked.
Usually one of these trusted CAs (like verisign, entrust, etc.) charge $$ for signing and issuing certificates and the longer the validity period the more they charge.
A self-signed one is free and may be issued for a long period of time (though not recommended).
于 2014-01-16T16:36:36.277 回答