{"id":2115,"date":"2025-08-17T10:21:14","date_gmt":"2025-08-17T02:21:14","guid":{"rendered":"https:\/\/www.fanyamin.com\/wordpress\/?p=2115"},"modified":"2025-08-17T11:02:09","modified_gmt":"2025-08-17T03:02:09","slug":"web-security-ceritificate","status":"publish","type":"post","link":"https:\/\/www.fanyamin.com\/wordpress\/?p=2115","title":{"rendered":"Web Security &#8211; Ceritificate"},"content":{"rendered":"<h1>1.  Concepts<\/h1>\n<h2>1) \u5bc6\u94a5\u5bf9\uff08\u79c1\u94a5 &amp; \u516c\u94a5\uff09<\/h2>\n<p><strong>What<\/strong><\/p>\n<ul>\n<li><strong>\u79c1\u94a5<\/strong>\uff1a\u53ea\u5c5e\u4e8e\u6301\u6709\u8005\u7684\u79d8\u5bc6\u6570\u636e\uff1b\u7528\u4e8e<strong>\u7b7e\u540d<\/strong>\u6216<strong>\u89e3\u5bc6<\/strong>\u3002<\/li>\n<li><strong>\u516c\u94a5<\/strong>\uff1a\u53ef\u516c\u5f00\u5206\u53d1\uff1b\u7528\u4e8e<strong>\u9a8c\u7b7e<\/strong>\u6216<strong>\u52a0\u5bc6<\/strong>\u3002<\/li>\n<li>\u5e38\u89c1\u7b97\u6cd5\uff1aRSA\uff082048\/3072\/4096\uff09\u3001ECDSA\uff08P-256\/384\/521\uff09\u3001Ed25519\uff08\u7b7e\u540d\u53cb\u597d\u3001\u4f53\u79ef\u5c0f\uff09\u3002<\/li>\n<\/ul>\n<p><strong>Why<\/strong><\/p>\n<ul>\n<li>\u5c06\u201c\u673a\u5bc6\u6027\u201d\u548c\u201c\u8eab\u4efd\/\u5b8c\u6574\u6027\u201d\u5206\u79bb\uff1a\u516c\u5f00\u5206\u53d1\u516c\u94a5\u4e0d\u4f1a\u6cc4\u5bc6\uff1b\u53ea\u6709\u79c1\u94a5\u624d\u80fd\u4ea7\u751f\u53ef\u4fe1\u7b7e\u540d\u3002<\/li>\n<li>\u652f\u6301\u5927\u89c4\u6a21\u3001\u8de8\u7ec4\u7ec7\u7684\u4e92\u8054\u7f51\u4fe1\u4efb\u6a21\u578b\uff08PKI\uff09\u3002<\/li>\n<\/ul>\n<p><strong>When<\/strong><\/p>\n<ul>\n<li>TLS\/HTTPS\u3001mTLS\u3001JWT \u7b7e\u540d\u3001\u8f6f\u4ef6\u53d1\u5e03\u7b7e\u540d\uff08\u5982\u5bb9\u5668\u955c\u50cf\/\u5305\uff09\u3001SSH \u767b\u5f55\u7b49\u3002<\/li>\n<\/ul>\n<p><strong>Who<\/strong><\/p>\n<ul>\n<li>\u670d\u52a1\u5668\/\u670d\u52a1\u5b9e\u4f8b\u3001\u53cd\u5411\u4ee3\u7406\u3001\u5ba2\u6237\u7aef\uff08mTLS\uff09\u3001CI\/CD \u7b7e\u540d\u8005\u3001KMS\/HSM \u6258\u7ba1\u65b9\u3001\u5f00\u53d1\u8005\/\u8fd0\u7ef4\u3002<\/li>\n<\/ul>\n<p><strong>How\uff08\u8981\u70b9 &amp; \u5b9e\u8df5\uff09<\/strong><\/p>\n<ul>\n<li>\u751f\u6210\u4e0e\u5b58\u653e\uff1a\u4f18\u5148 <strong>KMS\/HSM<\/strong> \u6216\u6587\u4ef6\u7cfb\u7edf + \u4e25\u683c\u6743\u9650\uff1b\u907f\u514d\u5c06\u79c1\u94a5\u5199\u5165\u955c\u50cf\u4e0e\u4ee3\u7801\u5e93\u3002<\/li>\n<li>\n<p>\u7b97\u6cd5\u9009\u62e9\uff1a<\/p>\n<ul>\n<li>\u517c\u5bb9\u6027\u4f18\u5148\uff1aRSA-2048\uff1b<\/li>\n<li>\u6027\u80fd\u4e0e\u4f53\u79ef\uff1aECDSA P-256\uff1b<\/li>\n<li>\u73b0\u4ee3\u7b7e\u540d\uff1aEd25519\uff08\u4f46\u770b TLS\/\u5e93\u517c\u5bb9\u6027\uff09\u3002<\/li>\n<\/ul>\n<\/li>\n<li>\u5907\u4efd\u4e0e\u8f6e\u6362\uff1a\u5b9a\u671f\u8f6e\u6362\uff08\u5982 6\u201312 \u4e2a\u6708\uff09\uff0c\u5e76\u4fdd\u7559\u65e7\u79c1\u94a5\u7528\u4e8e\u5386\u53f2\u6570\u636e\u9a8c\u7b7e\u3002<\/li>\n<\/ul>\n<hr \/>\n<h2>2) \u6570\u5b57\u7b7e\u540d\uff08Digital Signature\uff09<\/h2>\n<p><strong>What<\/strong><\/p>\n<ul>\n<li>\u7528<strong>\u79c1\u94a5<\/strong>\u5bf9\u201c\u6570\u636e\u7684\u54c8\u5e0c\u201d\u505a\u7b7e\u540d(\u5373\u7528\u79c1\u94a5\u5bf9\u8fd9\u4e2a\u6458\u8981\u8fdb\u884c\u52a0\u5bc6)\uff0c\u4efb\u4f55\u4eba\u7528<strong>\u516c\u94a5<\/strong>\u53ef\u9a8c\u8bc1\u201c\u662f\u8c01\u7b7e\u7684\u3001\u6709\u6ca1\u6709\u88ab\u6539\u201d\u3002<\/li>\n<\/ul>\n<p><strong>Why<\/strong><\/p>\n<ul>\n<li>\u8bc1\u660e <strong>\u8eab\u4efd<\/strong>\uff08\u53ea\u6709\u79c1\u94a5\u6301\u6709\u8005\u80fd\u7b7e\uff09\u3001\u4fdd\u8bc1 <strong>\u5b8c\u6574\u6027<\/strong>\uff08\u6570\u636e\u6539\u4e86\u5c31\u9a8c\u4e0d\u8fc7\uff09\u3002<\/li>\n<\/ul>\n<p><strong>When<\/strong><\/p>\n<ul>\n<li>CA \u7b7e\u53d1\u8bc1\u4e66\uff1bTLS \u63e1\u624b\uff1bJWT\/\u6d88\u606f\/\u5de5\u4ef6\uff08artifact\uff09\u7b7e\u540d\uff1b\u4ee3\u7801\u7b7e\u540d\u3002<\/li>\n<\/ul>\n<p><strong>Who<\/strong><\/p>\n<ul>\n<li>\u7b7e\u540d\u8005\uff1a\u6301\u79c1\u94a5\u65b9\uff08\u670d\u52a1\u5668\u3001CA\u3001CI\/CD\uff09\u3002<\/li>\n<li>\u9a8c\u7b7e\u8005\uff1a\u6d4f\u89c8\u5668\u3001\u670d\u52a1\u7aef\u3001\u6d88\u8d39\u8005\u3002<\/li>\n<\/ul>\n<p><strong>How\uff08\u6d41\u7a0b\uff09<\/strong><\/p>\n<ol>\n<li>\u5bf9\u6570\u636e\u505a\u54c8\u5e0c\uff08SHA-256 \u7b49\uff09\u3002<\/li>\n<li>\u79c1\u94a5\u5bf9\u54c8\u5e0c\u7b7e\u540d(\u52a0\u5bc6) \u2192 \u4ea7\u751f\u7b7e\u540d\u503c\u3002<\/li>\n<li>\u9a8c\u7b7e\u65f6\uff1a\u516c\u94a5\u8fd8\u539f\u7b7e\u540d(\u89e3\u5bc6)\u5e76\u6bd4\u5bf9\u54c8\u5e0c\u662f\u5426\u4e00\u81f4\u3002<\/li>\n<li>TLS\/\u8bc1\u4e66\u91cc\uff0c\u9a8c\u7b7e\u903b\u8f91\u7531 <code>x509.Verify<\/code>\u3001\u6d4f\u89c8\u5668\/\u7cfb\u7edf\u5b8c\u6210\u3002<\/li>\n<\/ol>\n<hr \/>\n<h2>3) CSR\uff08\u8bc1\u4e66\u7b7e\u540d\u8bf7\u6c42\uff09<\/h2>\n<p><strong>What<\/strong><\/p>\n<ul>\n<li>\u5305\u542b <strong>\u7533\u8bf7\u8005\u516c\u94a5 + \u4e3b\u9898\u4fe1\u606f\uff08CN\/\u7ec4\u7ec7\uff09 + \u6269\u5c55\uff08SAN\uff09<\/strong> \u7684\u8bf7\u6c42\u6587\u4ef6\uff0c\u672c\u8eab\u7531<strong>\u7533\u8bf7\u8005\u79c1\u94a5<\/strong>\u7b7e\u540d\u3002<\/li>\n<\/ul>\n<p><strong>Why<\/strong><\/p>\n<ul>\n<li>\n<p>CA \u901a\u8fc7 CSR \u786e\u8ba4\uff1a<\/p>\n<ul>\n<li>\u4f60\u62e5\u6709\u8fd9\u628a\u79c1\u94a5\uff1b<\/li>\n<li>\u4f60\u58f0\u660e\u7684\u8eab\u4efd\/\u57df\u540d\u662f\u4ec0\u4e48\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>When<\/strong><\/p>\n<ul>\n<li>\u5411\u516c\u6709 CA\uff08Let\u2019s Encrypt\/DigiCert\uff09\u6216\u5185\u90e8 CA \u7533\u8bf7\u8bc1\u4e66\u3002<\/li>\n<\/ul>\n<p><strong>Who<\/strong><\/p>\n<ul>\n<li>\u7533\u8bf7\u8bc1\u4e66\u7684\u4e3b\u4f53\uff08\u7f51\u7ad9\/\u670d\u52a1\uff09\uff0c\u6216\u81ea\u52a8\u5316\u5de5\u5177\uff08cert-manager\u3001lego\u3001acme.sh\uff09\u3002<\/li>\n<\/ul>\n<p><strong>How\uff08\u5173\u952e\u70b9\uff09<\/strong><\/p>\n<ul>\n<li>\u5728\u751f\u6210 CSR \u65f6\u5c31\u628a <strong>SAN<\/strong> \u5199\u5168\uff08DNS\/IP\/URI\uff09\u3002<\/li>\n<li>\u4fdd\u62a4\u79c1\u94a5\uff1bCSR \u53ef\u516c\u5f00\u3002<\/li>\n<li>\u901a\u8fc7 ACME\/HTTP-01\/DNS-01 \u5b8c\u6210\u57df\u540d\u6240\u6709\u6743\u9a8c\u8bc1\uff08\u516c\u6709 CA\uff09\u3002<\/li>\n<\/ul>\n<hr \/>\n<h2>4) \u8bc1\u4e66\uff08X.509\uff09\u4e0e SAN<\/h2>\n<p><strong>What<\/strong><\/p>\n<ul>\n<li>\u8bc1\u4e66 = <strong>\u516c\u94a5 + \u8eab\u4efd\u4fe1\u606f + \u6709\u6548\u671f + \u6269\u5c55\uff08KeyUsage\/EKU\/SAN\/AIA\/AKI\/SKI\uff09<\/strong>\uff0c\u7531 CA <strong>\u79c1\u94a5\u7b7e\u540d<\/strong>\u3002<\/li>\n<li><strong>SAN\uff08Subject Alternative Name\uff09<\/strong>\uff1a\u5217\u51fa\u8bc1\u4e66\u8986\u76d6\u7684\u6240\u6709\u4e3b\u673a\u540d\/IP\/URI\u3002\u73b0\u4ee3\u5ba2\u6237\u7aef<strong>\u4ec5\u770b SAN<\/strong>\uff0c\u4e0d\u518d\u4f9d\u8d56 CN\u3002<\/li>\n<\/ul>\n<p><strong>Why<\/strong><\/p>\n<ul>\n<li>\u5c06\u201c<strong>\u662f\u8c01<\/strong>\uff08\u8eab\u4efd\uff09\u201d\u4e0e\u201c<strong>\u8fd9\u628a\u516c\u94a5<\/strong>\u201d\u7ed1\u5b9a\uff1bSAN \u4fdd\u969c\u4e00\u4e2a\u8bc1\u4e66\u53ef\u5b89\u5168\u8986\u76d6\u591a\u4e2a\u57df\u540d\u3002<\/li>\n<\/ul>\n<p><strong>When<\/strong><\/p>\n<ul>\n<li>Web \u670d\u52a1\u5668\u8bc1\u4e66\u3001mTLS \u5ba2\u6237\u7aef\u8bc1\u4e66\u3001\u5185\u7f51\u670d\u52a1\u7f51\u683c\u8bc1\u4e66\u3002<\/li>\n<li>\u901a\u914d\u7b26\uff1a<code>*.example.com<\/code> \u8986\u76d6\u5355\u5c42\u5b50\u57df\uff0c\u573a\u666f\u5408\u9002\u65f6\u51cf\u5c11\u8bc1\u4e66\u6570\u91cf\u3002<\/li>\n<\/ul>\n<p><strong>Who<\/strong><\/p>\n<ul>\n<li>\u9881\u53d1\u8005\uff1aCA\uff08\u4e2d\u7ea7 CA \u4e3a\u4e3b\uff09\u3002<\/li>\n<li>\u4f7f\u7528\u8005\uff1a\u670d\u52a1\u5668\/\u5ba2\u6237\u7aef\uff1b\u9a8c\u8bc1\u8005\uff1a\u6d4f\u89c8\u5668\u3001\u53cd\u5411\u4ee3\u7406\u3001API \u5ba2\u6237\u7aef\u3002<\/li>\n<\/ul>\n<p><strong>How\uff08\u5b9e\u52a1\uff09<\/strong><\/p>\n<ul>\n<li>\n<p>KeyUsage\/EKU\uff1a<\/p>\n<ul>\n<li>\u670d\u52a1\u5668\u8bc1\u4e66\uff1a<code>DigitalSignature|KeyEncipherment<\/code> + <code>ExtKeyUsageServerAuth<\/code>\uff1b<\/li>\n<li>\u5ba2\u6237\u7aef\u8bc1\u4e66\uff1a<code>ExtKeyUsageClientAuth<\/code>\uff1b<\/li>\n<li>CA\uff1a<code>CertSign|CRLSign<\/code>\u3001<code>IsCA=true<\/code>\u3002<\/li>\n<\/ul>\n<\/li>\n<li>\u6709\u6548\u671f\uff1a\u516c\u6709 TLS \u8bc1\u4e66\u5e38\u89c1 \u2264 398 \u5929\uff1b\u5185\u90e8\u53ef\u66f4\u77ed\u4ee5\u4fbf\u81ea\u52a8\u8f6e\u6362\u3002<\/li>\n<li><strong>\u4e00\u5b9a\u90e8\u7f72\u5b8c\u6574\u94fe<\/strong>\uff08leaf + intermediates\uff09\uff0c\u5426\u5219\u90e8\u5206\u5ba2\u6237\u7aef\u201c\u94fe\u4e0d\u5b8c\u6574\u201d\u3002<\/li>\n<\/ul>\n<hr \/>\n<h2>5) CA \/ \u6839 CA \/ \u4e2d\u7ea7 CA<\/h2>\n<p><strong>What<\/strong><\/p>\n<ul>\n<li><strong>CA<\/strong>\uff1a\u53d7\u4fe1\u7684\u7b7e\u53d1\u673a\u6784\u3002<\/li>\n<li><strong>\u6839 CA\uff08Root\uff09<\/strong>\uff1a\u81ea\u7b7e\uff0c\u516c\u94a5\u9884\u7f6e\u5728\u7cfb\u7edf\/\u6d4f\u89c8\u5668\uff1b\u51e0\u4e4e\u4e0d\u76f4\u63a5\u7b7e\u53d1\u7ec8\u7aef\u8bc1\u4e66\u3002<\/li>\n<li><strong>\u4e2d\u7ea7 CA\uff08Intermediate\uff09<\/strong>\uff1a\u7531 Root \u6216\u4e0a\u7ea7\u4e2d\u7ea7\u7b7e\u53d1\uff0c<strong>\u771f\u6b63\u8d1f\u8d23<\/strong>\u9762\u5411\u7ec8\u7aef\u7684\u8bc1\u4e66\u7b7e\u53d1\u3002<\/li>\n<\/ul>\n<p><strong>Why<\/strong><\/p>\n<ul>\n<li>\u5206\u5c42\u964d\u4f4e\u98ce\u9669\uff1a\u4e00\u65e6\u4e2d\u7ea7\u6cc4\u9732\u53ef\u540a\u9500\u8be5\u4e2d\u7ea7\uff0c\u4e0d\u4f24\u6839\u3002<\/li>\n<li>\u8fd0\u8425\u4e0e\u5ba1\u8ba1\u804c\u8d23\u5206\u79bb\uff0c\u6ee1\u8db3\u5408\u89c4\u3002<\/li>\n<\/ul>\n<p><strong>When<\/strong><\/p>\n<ul>\n<li>\u4e92\u8054\u7f51 PKI \u5fc5\u5907\uff1b\u4f01\u4e1a\u5185\u90e8 PKI \u4e5f\u5efa\u8bae\u91c7\u7528\u201c\u6839\u79bb\u7ebf + \u591a\u4e2d\u7ea7\u201d\u67b6\u6784\u3002<\/li>\n<\/ul>\n<p><strong>Who<\/strong><\/p>\n<ul>\n<li>\u6839 CA \u8fd0\u7ef4\u56e2\u961f\uff08\u901a\u5e38\u79bb\u7ebf HSM\u3001\u5b9e\u4f53\u5b89\u4fdd\uff09\uff1b<\/li>\n<li>\u4e2d\u7ea7 CA \u8fd0\u8425\uff08\u5728\u7ebf\u7b7e\u53d1\u3001\u5ba1\u8ba1\u3001\u901f\u7387\u9650\u5236\u3001\u7b56\u7565\uff09\u3002<\/li>\n<\/ul>\n<p><strong>How\uff08\u843d\u5730\uff09<\/strong><\/p>\n<ul>\n<li>\u6839 CA \u7f6e\u4e8e\u79bb\u7ebf\/\u53d7\u63a7\u73af\u5883\uff0c\u4f7f\u7528 HSM\uff1b<\/li>\n<li>\u4e2d\u7ea7 CA \u5728\u7ebf\u670d\u52a1\uff0c\u914d\u5408\u5ba1\u6279\/ACME\/\u5ba1\u8ba1\u4e0e\u544a\u8b66\uff1b<\/li>\n<li>\u5b9a\u671f\u8f6e\u6362\u4e2d\u7ea7\uff1b\u6839 CA \u66f4\u957f\u5468\u671f\u8f6e\u6362\uff1b\u4f7f\u7528 CRL\/OCSP \u53d1\u5e03\u72b6\u6001\u3002<\/li>\n<\/ul>\n<hr \/>\n<h2>6) \u8bc1\u4e66\u94fe\u4e0e\u9a8c\u8bc1<\/h2>\n<p><strong>What<\/strong><\/p>\n<ul>\n<li>\u94fe = \u670d\u52a1\u5668\u8bc1\u4e66 \u2190 \u4e2d\u7ea7 CA \u8bc1\u4e66 \u2190 \u6839 CA \u8bc1\u4e66\uff08\u4fe1\u4efb\u951a\uff09\u3002<\/li>\n<li>\u9a8c\u8bc1 = <strong>\u9010\u7ea7\u9a8c\u7b7e<\/strong> + <strong>\u7b56\u7565\u68c0\u67e5<\/strong>\uff08\u6709\u6548\u671f\u3001KeyUsage\/EKU\u3001SAN\/\u4e3b\u673a\u540d\u3001\u540a\u9500\uff09\u3002<\/li>\n<\/ul>\n<p><strong>Why<\/strong><\/p>\n<ul>\n<li>\u8ba9\u4efb\u610f\u4e24\u65b9\u5728\u4e0d\u9884\u5148\u4ea4\u6362\u79c1\u94a5\u7684\u60c5\u51b5\u4e0b\uff0c\u57fa\u4e8e\u516c\u5171\u201c\u4fe1\u4efb\u951a\u201d\uff08Root\uff09\u5efa\u7acb\u4fe1\u4efb\u3002<\/li>\n<\/ul>\n<p><strong>When<\/strong><\/p>\n<ul>\n<li>\u6d4f\u89c8\u5668\u8bbf\u95ee HTTPS\u3001\u53cd\u5411\u4ee3\u7406\u5230\u4e0a\u6e38\u3001\u670d\u52a1\u95f4 mTLS\u3001API \u5ba2\u6237\u7aef\u6821\u9a8c\u3002<\/li>\n<\/ul>\n<p><strong>Who<\/strong><\/p>\n<ul>\n<li>\u9a8c\u8bc1\u8005\uff1a\u5ba2\u6237\u7aef\/\u6d4f\u89c8\u5668\/\u7f51\u5173\/SDK\uff1b<\/li>\n<li>\u63d0\u4f9b\u94fe\uff1a\u670d\u52a1\u5668\u5fc5\u987b\u8fde\u540c\u4e2d\u7ea7\u8bc1\u4e66\u4e00\u8d77\u53d1\u9001\u3002<\/li>\n<\/ul>\n<p><strong>How\uff08\u6b65\u9aa4\uff09<\/strong><\/p>\n<ol>\n<li>\u4f7f\u7528\u4e0a\u4e00\u7ea7\u8bc1\u4e66\u7684<strong>\u516c\u94a5<\/strong>\u9a8c\u4e0b\u4e00\u7ea7\u8bc1\u4e66<strong>\u7b7e\u540d<\/strong>\uff1b<\/li>\n<li>\u68c0\u67e5\u8bc1\u4e66<strong>\u6709\u6548\u671f<\/strong>\u3001<strong>KeyUsage\/EKU<\/strong> \u662f\u5426\u5141\u8bb8\u5f53\u524d\u7528\u9014\uff1b<\/li>\n<li>\u6821\u9a8c <strong>SAN<\/strong> \u662f\u5426\u8986\u76d6\u8bbf\u95ee\u7684\u4e3b\u673a\u540d\uff1b<\/li>\n<li>\u68c0\u67e5 <strong>\u540a\u9500<\/strong>\uff08CRL\/OCSP\/OCSP-Stapling\uff09\uff1b<\/li>\n<li>\u6839 CA \u4f5c\u4e3a<strong>\u4fe1\u4efb\u951a<\/strong>\u5b58\u5728\u4e8e\u672c\u673a\u4fe1\u4efb\u5e93\u4e2d\uff08\u7cfb\u7edf\/\u6d4f\u89c8\u5668\/\u5bb9\u5668\u955c\u50cf\uff09\u3002<\/li>\n<\/ol>\n<hr \/>\n<h2>7) \u540a\u9500\uff08CRL &amp; OCSP\uff09<\/h2>\n<p><strong>What<\/strong><\/p>\n<ul>\n<li><strong>CRL<\/strong>\uff1a\u7531 CA \u53d1\u5e03\u7684\u201c\u88ab\u540a\u9500\u8bc1\u4e66\u5217\u8868\u201d\uff1b<\/li>\n<li><strong>OCSP<\/strong>\uff1a\u5728\u7ebf\u67e5\u8be2\u67d0\u4e00\u8bc1\u4e66\u662f\u5426\u6709\u6548\uff1b<\/li>\n<li><strong>OCSP Stapling<\/strong>\uff1a\u670d\u52a1\u5668\u628a\u65b0\u9c9c\u7684 OCSP \u54cd\u5e94\u968f\u63e1\u624b\u4e00\u5e76\u63d0\u4f9b\uff0c\u51cf\u5c11\u5ba2\u6237\u7aef\u5916\u547c\u3002<\/li>\n<\/ul>\n<p><strong>Why<\/strong><\/p>\n<ul>\n<li>\u79c1\u94a5\u6cc4\u9732\u3001\u8bef\u7b7e\u3001\u4e3b\u4f53\u4e0d\u518d\u5408\u6cd5\u7b49\u573a\u666f\u5fc5\u987b\u201c\u7acb\u5373\u5931\u6548\u201d\u8bc1\u4e66\u3002<\/li>\n<\/ul>\n<p><strong>When<\/strong><\/p>\n<ul>\n<li>\u4efb\u4f55\u4f60\u6000\u7591\u5bc6\u94a5\u6cc4\u9732\u3001\u9519\u8bef\u7b7e\u53d1\u3001\u4e3b\u4f53\u7ec8\u6b62\u65f6\uff1b<\/li>\n<li>\u516c\u7f51\u7ad9\u70b9\u5efa\u8bae\u5f00\u542f Stapling \u4ee5\u964d\u4f4e\u65f6\u5ef6\u4e0e\u9690\u79c1\u6cc4\u9732\u3002<\/li>\n<\/ul>\n<p><strong>Who<\/strong><\/p>\n<ul>\n<li>\u540a\u9500\u65b9\uff1a\u7b7e\u53d1\u8be5\u8bc1\u4e66\u7684 CA\uff1b<\/li>\n<li>\u67e5\u8be2\u65b9\uff1a\u5ba2\u6237\u7aef\/\u6d4f\u89c8\u5668\/\u7f51\u5173\u3002<\/li>\n<\/ul>\n<p><strong>How\uff08\u5b9e\u8df5\uff09<\/strong><\/p>\n<ul>\n<li>\u90e8\u7f72 OCSP Stapling\uff08Nginx\/Envoy\/Apache \u652f\u6301\uff09\uff1b<\/li>\n<li>\u76d1\u63a7 CRL\/OCSP \u53ef\u7528\u6027\uff1b<\/li>\n<li>\u5bf9\u5173\u952e\u5185\u7f51\u7cfb\u7edf\u5f15\u5165 <strong>\u77ed\u5468\u671f\u8bc1\u4e66 + \u81ea\u52a8\u8f6e\u6362<\/strong>\uff0c\u964d\u4f4e\u5bf9\u540a\u9500\u5b9e\u65f6\u6027\u7684\u4f9d\u8d56\u3002<\/li>\n<\/ul>\n<p>\u597d\u7684\uff0c\u6211\u4eec\u7ee7\u7eed\u628a\u8bc1\u4e66\u4f53\u7cfb\u4e2d\u7684 <strong>EKU\u3001CRL\u3001OCSP<\/strong> \u62c6\u5f00\u8bb2\u6e05\u695a\uff0c\u4ece <strong>What \/ Why \/ When \/ Who \/ How<\/strong> \u4e94\u4e2a\u89d2\u5ea6\u6765\u7406\u89e3\u3002<\/p>\n<hr \/>\n<h2>8) EKU (Extended Key Usage\uff0c\u6269\u5c55\u5bc6\u94a5\u7528\u6cd5)<\/h2>\n<h3>What<\/h3>\n<ul>\n<li>EKU \u662f\u8bc1\u4e66\u4e2d\u7684\u4e00\u4e2a\u6269\u5c55\u5b57\u6bb5\uff08X.509 v3 \u6269\u5c55\uff09\uff0c\u7528\u6765\u6307\u5b9a\u8be5\u8bc1\u4e66\u7684\u5177\u4f53\u7528\u9014\u3002<\/li>\n<li>\n<p>\u4f8b\u5982\uff1a<\/p>\n<ul>\n<li><code>serverAuth<\/code> \u2192 \u7528\u4e8e\u670d\u52a1\u5668\u8eab\u4efd\u8ba4\u8bc1\uff08HTTPS \u7f51\u7ad9\u8bc1\u4e66\uff09<\/li>\n<li><code>clientAuth<\/code> \u2192 \u7528\u4e8e\u5ba2\u6237\u7aef\u8eab\u4efd\u8ba4\u8bc1\uff08\u53cc\u5411 TLS\uff09<\/li>\n<li><code>codeSigning<\/code> \u2192 \u7528\u4e8e\u4ee3\u7801\u7b7e\u540d\uff08\u8f6f\u4ef6\u53d1\u5e03\uff09<\/li>\n<li><code>emailProtection<\/code> \u2192 \u7528\u4e8e\u52a0\u5bc6\/\u7b7e\u540d\u7535\u5b50\u90ae\u4ef6<\/li>\n<li><code>timeStamping<\/code> \u2192 \u7528\u4e8e\u65f6\u95f4\u6233\u670d\u52a1<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Why<\/h3>\n<ul>\n<li>\u9632\u6b62\u8bc1\u4e66\u88ab\u8bef\u7528\u3002\u6bd4\u5982\u4e00\u4e2a\u670d\u52a1\u5668\u8bc1\u4e66\u4e0d\u80fd\u7528\u6765\u7b7e\u53d1\u4ee3\u7801\uff0c\u5426\u5219\u53ef\u80fd\u88ab\u6ee5\u7528\u3002<\/li>\n<li>\u660e\u786e\u8bc1\u4e66\u7684\u8fb9\u754c\uff0c\u63d0\u9ad8\u5b89\u5168\u6027\u548c\u5408\u89c4\u6027\u3002<\/li>\n<\/ul>\n<h3>When<\/h3>\n<ul>\n<li>\u5f53\u9881\u53d1\u8bc1\u4e66\u65f6\uff0cCA \u4f1a\u6839\u636e\u7528\u9014\u8bbe\u7f6e EKU\u3002<\/li>\n<li>\u6d4f\u89c8\u5668\u6216\u7cfb\u7edf\u5728\u4f7f\u7528\u8bc1\u4e66\u65f6\u4f1a\u9a8c\u8bc1 EKU \u5b57\u6bb5\uff0c\u786e\u4fdd\u7528\u9014\u5339\u914d\u3002<\/li>\n<\/ul>\n<h3>Who<\/h3>\n<ul>\n<li>\u7531 CA \u7b7e\u53d1\u65f6\u8bbe\u5b9a\u3002<\/li>\n<li>\u5ba2\u6237\u7aef\uff08\u6d4f\u89c8\u5668\u3001\u64cd\u4f5c\u7cfb\u7edf\u3001\u5e94\u7528\u7a0b\u5e8f\uff09\u8d1f\u8d23\u9a8c\u8bc1\u3002<\/li>\n<\/ul>\n<h3>How<\/h3>\n<ul>\n<li>\u8bc1\u4e66\u4e2d <code>Extended Key Usage<\/code> OID \u8868\u793a\u7528\u9014\u3002<\/li>\n<li>\n<p>\u4f8b\u5982\uff1a<\/p>\n<ul>\n<li><code>1.3.6.1.5.5.7.3.1<\/code> \u2192 TLS Web Server Authentication<\/li>\n<li><code>1.3.6.1.5.5.7.3.2<\/code> \u2192 TLS Web Client Authentication<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h2>9) CRL (Certificate Revocation List\uff0c\u8bc1\u4e66\u540a\u9500\u5217\u8868)<\/h2>\n<h3>What<\/h3>\n<ul>\n<li>CRL \u662f\u7531 CA \u5b9a\u671f\u53d1\u5e03\u7684\u201c\u88ab\u540a\u9500\u7684\u8bc1\u4e66\u5217\u8868\u201d\u3002<\/li>\n<li>\u5305\u542b\u8bc1\u4e66\u5e8f\u5217\u53f7\u3001\u540a\u9500\u65f6\u95f4\u3001\u540a\u9500\u539f\u56e0\u3002<\/li>\n<\/ul>\n<h3>Why<\/h3>\n<ul>\n<li>\n<p>\u6709\u4e9b\u8bc1\u4e66\u5728\u6709\u6548\u671f\u5185\u53ef\u80fd\u9700\u8981\u5931\u6548\uff1a<\/p>\n<ul>\n<li>\u79c1\u94a5\u6cc4\u9732<\/li>\n<li>\u6301\u6709\u8005\u8eab\u4efd\u4e0d\u518d\u53ef\u4fe1<\/li>\n<li>\u8bc1\u4e66\u9519\u8bef\u7b7e\u53d1<\/li>\n<\/ul>\n<\/li>\n<li>CRL \u80fd\u8ba9\u5ba2\u6237\u7aef\u907f\u514d\u4fe1\u4efb\u5df2\u4e0d\u518d\u5b89\u5168\u7684\u8bc1\u4e66\u3002<\/li>\n<\/ul>\n<h3>When<\/h3>\n<ul>\n<li>CA \u4f1a\u5b9a\u671f\uff08\u5982\u6bcf\u5929\u6216\u6bcf\u5468\uff09\u751f\u6210\u5e76\u53d1\u5e03 CRL \u6587\u4ef6\u3002<\/li>\n<li>\u5ba2\u6237\u7aef\u5728\u9a8c\u8bc1\u8bc1\u4e66\u65f6\uff0c\u53ef\u4ee5\u4e0b\u8f7d\u5e76\u68c0\u67e5\u8bc1\u4e66\u662f\u5426\u5728 CRL \u4e2d\u3002<\/li>\n<\/ul>\n<h3>Who<\/h3>\n<ul>\n<li>\u7531 CA \u7ef4\u62a4\u548c\u53d1\u5e03\u3002<\/li>\n<li>\u5ba2\u6237\u7aef\uff08\u6d4f\u89c8\u5668\u3001\u7cfb\u7edf\uff09\u4f7f\u7528\u3002<\/li>\n<\/ul>\n<h3>How<\/h3>\n<ul>\n<li>CA \u5728\u8bc1\u4e66\u4e2d\u5199\u5165 <code>CRL Distribution Point (CDP)<\/code> \u6269\u5c55\uff0c\u544a\u8bc9\u5ba2\u6237\u7aef\u4ece\u54ea\u91cc\u83b7\u53d6 CRL\u3002<\/li>\n<li>\u5ba2\u6237\u7aef\u4e0b\u8f7d CRL \u6587\u4ef6\uff08\u4e00\u822c\u662f <code>.crl<\/code> \u683c\u5f0f\uff09\uff0c\u68c0\u67e5\u8bc1\u4e66\u5e8f\u5217\u53f7\u662f\u5426\u5728\u5176\u4e2d\u3002<\/li>\n<\/ul>\n<p>\u26a0\ufe0f \u7f3a\u70b9\uff1aCRL \u6587\u4ef6\u53ef\u80fd\u5f88\u5927\uff0c\u66f4\u65b0\u4e0d\u591f\u5b9e\u65f6\u3002<\/p>\n<hr \/>\n<h2>10) OCSP (Online Certificate Status Protocol\uff0c\u5728\u7ebf\u8bc1\u4e66\u72b6\u6001\u534f\u8bae)<\/h2>\n<h3>What<\/h3>\n<ul>\n<li>OCSP \u662f\u4e00\u79cd\u6bd4 CRL \u66f4\u9ad8\u6548\u7684\u8bc1\u4e66\u72b6\u6001\u68c0\u67e5\u534f\u8bae\u3002<\/li>\n<li>\u901a\u8fc7\u7f51\u7edc\u5b9e\u65f6\u5411 CA \u6216 OCSP \u670d\u52a1\u5668\u67e5\u8be2\u67d0\u4e2a\u8bc1\u4e66\u662f\u5426\u6709\u6548\u3002<\/li>\n<\/ul>\n<h3>Why<\/h3>\n<ul>\n<li>CRL \u592a\u7b28\u91cd\uff08\u4e0b\u8f7d\u6574\u4e2a\u5217\u8868\uff09\uff0cOCSP \u53ef\u4ee5\u76f4\u63a5\u67e5\u8be2\u5355\u4e2a\u8bc1\u4e66\u7684\u72b6\u6001\u3002<\/li>\n<li>\u66f4\u5b9e\u65f6\uff0c\u901a\u5e38\u5ef6\u8fdf\u53ea\u6709\u51e0\u79d2\u5230\u51e0\u5206\u949f\u3002<\/li>\n<\/ul>\n<h3>When<\/h3>\n<ul>\n<li>\u6d4f\u89c8\u5668\u8bbf\u95ee HTTPS \u7f51\u7ad9\u65f6\uff0c\u4f1a\u53d1\u9001 OCSP \u8bf7\u6c42\uff0cCA \u54cd\u5e94\u201cGood \/ Revoked \/ Unknown\u201d\u3002<\/li>\n<li>\u5728\u5b89\u5168\u6027\u8981\u6c42\u9ad8\u7684\u573a\u666f\uff08\u91d1\u878d\u3001\u652f\u4ed8\u3001\u653f\u52a1\u7cfb\u7edf\uff09\u5c24\u5176\u5e38\u7528\u3002<\/li>\n<\/ul>\n<h3>Who<\/h3>\n<ul>\n<li><strong>OCSP Responder<\/strong>\uff1a\u901a\u5e38\u7531\u9881\u53d1\u8bc1\u4e66\u7684 CA \u8fd0\u884c\u3002<\/li>\n<li><strong>\u5ba2\u6237\u7aef<\/strong>\uff1a\u6d4f\u89c8\u5668\u3001\u5e94\u7528\u3001\u64cd\u4f5c\u7cfb\u7edf\u8d1f\u8d23\u53d1\u8d77\u67e5\u8be2\u3002<\/li>\n<\/ul>\n<h3>How<\/h3>\n<ul>\n<li>\u8bc1\u4e66\u91cc\u4f1a\u6709 <code>Authority Information Access (AIA)<\/code> \u6269\u5c55\uff0c\u6307\u660e OCSP \u670d\u52a1\u5668\u7684 URL\u3002<\/li>\n<li>\u5ba2\u6237\u7aef\u6784\u9020\u4e00\u4e2a OCSP \u8bf7\u6c42\uff0c\u53d1\u9001\u5230\u670d\u52a1\u5668\u3002<\/li>\n<li>\n<p>\u670d\u52a1\u5668\u8fd4\u56de\u4e00\u4e2a\u5e26\u7b7e\u540d\u7684\u54cd\u5e94\uff1a<\/p>\n<ul>\n<li><strong>good<\/strong> \u2192 \u8bc1\u4e66\u6709\u6548<\/li>\n<li><strong>revoked<\/strong> \u2192 \u8bc1\u4e66\u5df2\u540a\u9500<\/li>\n<li><strong>unknown<\/strong> \u2192 \u4e0d\u8ba4\u8bc6\u8fd9\u4e2a\u8bc1\u4e66<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u26a0\ufe0f \u7f3a\u70b9\uff1a<\/p>\n<ul>\n<li>\u5982\u679c OCSP \u670d\u52a1\u5668\u5b95\u673a\uff0c\u53ef\u80fd\u5bfc\u81f4\u8bbf\u95ee\u5ef6\u8fdf\u6216\u5931\u8d25\u3002<\/li>\n<li>\u6709\u4e9b\u6d4f\u89c8\u5668\u4f1a\u7528 <strong>OCSP Stapling<\/strong>\uff08\u670d\u52a1\u5668\u63d0\u524d\u7f13\u5b58\u5e76\u8fd4\u56de OCSP \u54cd\u5e94\uff0c\u907f\u514d\u5ba2\u6237\u7aef\u5355\u72ec\u67e5\u8be2\uff09\u3002<\/li>\n<\/ul>\n<h1>2. \u5178\u578b\u4f7f\u7528\u573a\u666f\u4e0e\u51b3\u7b56<\/h1>\n<p><strong>Web \u670d\u52a1\u5668\uff08\u5355\u57df\/\u591a\u57df\uff09<\/strong><\/p>\n<ul>\n<li><strong>Why<\/strong>\uff1aHTTPS \u4e0e SEO\/\u5408\u89c4\uff1b<\/li>\n<li><strong>When<\/strong>\uff1a\u6240\u6709\u516c\u7f51\u670d\u52a1\u9ed8\u8ba4\u542f\u7528\uff1b<\/li>\n<li><strong>How<\/strong>\uff1aACME \u81ea\u52a8\u7b7e\u53d1\u4e0e\u7eed\u671f\uff08Let\u2019s Encrypt + certbot\/cert-manager\uff09\uff0cSAN \u5217\u5168\u57df\u540d\uff1b\u542f\u7528 HTTP\/2\/3\uff0cOCSP Stapling\u3002<\/li>\n<\/ul>\n<p><strong>API \u7f51\u5173 \u2194 \u4e0a\u6e38\uff08\u5185\u7f51\uff09<\/strong><\/p>\n<ul>\n<li><strong>Why<\/strong>\uff1a\u4e0a\u6e38\u9274\u522b\u4e0e\u52a0\u5bc6\uff1b<\/li>\n<li><strong>How<\/strong>\uff1a\u7f51\u5173\u9a8c\u8bc1\u4e0a\u6e38\u670d\u52a1\u8bc1\u4e66\u94fe\u4e0e SAN\uff1b\u82e5\u9700\u8981\u53cc\u5411\u8ba4\u8bc1\uff0c\u542f\u7528 <strong>mTLS<\/strong> \u5e76\u4e3a\u5ba2\u6237\u7aef\u9881\u53d1 ClientAuth \u8bc1\u4e66\u3002<\/li>\n<\/ul>\n<p><strong>\u670d\u52a1\u7f51\u683c \/ mTLS\uff08\u5fae\u670d\u52a1\uff09<\/strong><\/p>\n<ul>\n<li><strong>Why<\/strong>\uff1a\u96f6\u4fe1\u4efb\/\u7ec6\u7c92\u5ea6\u8eab\u4efd\uff1b<\/li>\n<li><strong>How<\/strong>\uff1aIstio\/Linkerd \u4f1a\u6258\u7ba1 CA\uff08\u6216\u5bf9\u63a5\u5916\u90e8 CA\uff09\uff0c\u4e3a Workload \u81ea\u52a8\u7b7e\u53d1\u77ed\u671f\u8bc1\u4e66\uff08\u5982 24h\uff09\uff0cSidecar \u8d1f\u8d23\u8f6e\u6362\u4e0e\u5206\u53d1\uff1b\u7b56\u7565\u7531 SPIFFE ID\/SAN \u7ed1\u5b9a\u3002<\/li>\n<\/ul>\n<p><strong>\u79fb\u52a8\/IoT \u8bbe\u5907<\/strong><\/p>\n<ul>\n<li><strong>Why<\/strong>\uff1a\u6297\u4e2d\u95f4\u4eba\u3001\u8bbe\u5907\u8eab\u4efd\uff1b<\/li>\n<li><strong>How<\/strong>\uff1a\u51fa\u5382\u70e7\u5f55\u8bbe\u5907\u79c1\u94a5\u4e0e\u8bc1\u4e66\uff0c\u670d\u52a1\u7aef\u6821\u9a8c\uff1b\u53ef\u7ed3\u5408\u8bc1\u4e66**\u9489\uff08pinning\uff09**\u6216\u900f\u660e\u65e5\u5fd7\uff08CT\uff09\u3002<\/li>\n<\/ul>\n<hr \/>\n<h1>3. \u64cd\u4f5c\u4e0e\u5b89\u5168\u6700\u4f73\u5b9e\u8df5\uff08\u7ed9 Web\/\u540e\u7aef\/DevOps\uff09<\/h1>\n<ul>\n<li><strong>\u79c1\u94a5\u7edd\u4e0d\u8fdb\u4ee3\u7801\u5e93<\/strong>\uff1b\u5c3d\u91cf\u4f7f\u7528 <strong>KMS\/HSM<\/strong> \u6216\u72ec\u7acb\u5bc6\u94a5\u5377\u3002<\/li>\n<li><strong>\u6700\u5c0f\u6743\u9650<\/strong>\uff1a\u5bc6\u94a5\u6587\u4ef6\u4ec5\u670d\u52a1\u8fdb\u7a0b\u53ef\u8bfb\uff1b\u5bb9\u5668\u7528 <code>readOnlyRootFilesystem<\/code>\u3001<code>fsGroup<\/code> \u63a7\u5236\u8bbf\u95ee\u3002<\/li>\n<li><strong>\u81ea\u52a8\u5316<\/strong>\uff1a\u8bc1\u4e66\u77ed\u671f\uff0830\u201390 \u5929\uff09+ \u81ea\u52a8\u7eed\u671f\uff08ACME\/cert-manager\uff09\uff1b\u5931\u8d25\u544a\u8b66\u3002<\/li>\n<li><strong>\u5b8c\u6574\u94fe\u90e8\u7f72<\/strong>\uff1a\u786e\u4fdd\u4e2d\u7ea7\u8bc1\u4e66\u968f\u540c\u53d1\u9001\uff1b\u7528 <code>openssl s_client -showcerts<\/code> \u6216\u5728\u7ebf\u5de5\u5177\u9a8c\u8bc1\u3002<\/li>\n<li><strong>\u4e25\u683c SAN<\/strong>\uff1a\u8bbf\u95ee\u540d\u5fc5\u987b\u51fa\u73b0\u5728 SAN\uff1b\u522b\u518d\u4f9d\u8d56 CN\u3002<\/li>\n<li><strong>\u7528\u9014\u6b63\u786e<\/strong>\uff1aKeyUsage\/EKU \u4e0e\u89d2\u8272\u5339\u914d\uff08ServerAuth\/ClientAuth\/CodeSigning\uff09\u3002<\/li>\n<li><strong>\u65e5\u5fd7\u4e0e\u53ef\u89c2\u6d4b<\/strong>\uff1aOCSP\/CRL \u67e5\u8be2\u3001\u63e1\u624b\u5931\u8d25\u539f\u56e0\u3001\u8bc1\u4e66\u8fc7\u671f\u9884\u8b66\u3002<\/li>\n<li><strong>\u5e94\u6025<\/strong>\uff1a\u5bc6\u94a5\u7591\u4f3c\u6cc4\u9732 \u2192 \u7acb\u523b\u540a\u9500 + \u91cd\u65b0\u7b7e\u53d1 + \u5f3a\u5236\u8f6e\u6362\u3002<\/li>\n<\/ul>\n<hr \/>\n<h1>4. \u5feb\u901f\u547d\u4ee4\u5907\u5fd8\uff08OpenSSL \u793a\u4f8b\uff09<\/h1>\n<pre><code class=\"language-bash\"># \u751f\u6210\u79c1\u94a5\uff08RSA \u6216 EC\uff09\nopenssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out server.key\n# \u6216\uff1aEC P-256\nopenssl ecparam -genkey -name prime256v1 -noout -out server.key\n\n# \u751f\u6210\u542b SAN \u7684 CSR\uff08\u7528 -addext\uff09\nopenssl req -new -key server.key -out server.csr \\\n  -subj &quot;\/CN=example.com\/O=Example Ltd&quot; \\\n  -addext &quot;subjectAltName=DNS:example.com,DNS:www.example.com,DNS:api.example.com&quot;\n\n# \u7531\u4e2d\u7ea7 CA \u7b7e\u53d1\uff08\u4e3e\u4f8b\uff09\nopenssl x509 -req -in server.csr -CA intermediate.pem -CAkey intermediate.key \\\n  -CAcreateserial -out server.pem -days 398 -sha256 \\\n  -extfile &lt;(printf &quot;keyUsage=digitalSignature,keyEncipherment\\nextendedKeyUsage=serverAuth\\nsubjectAltName=DNS:example.com,DNS:www.example.com,DNS:api.example.com&quot;)\n\n# \u9a8c\u8bc1\u8bc1\u4e66\u94fe\u4e0e\u4e3b\u673a\u540d\uff08OpenSSL 3\uff09\ncat root.pem intermediate.pem &gt; chain.pem\nopenssl verify -CAfile chain.pem -verify_hostname www.example.com server.pem<\/code><\/pre>\n<blockquote>\n<p>\u5efa\u8bae\uff1a\u628a\u7b7e\u53d1\u4e0e\u5b58\u50a8\u8fc1\u5230 <strong>ACME \/ cert-manager \/ step-ca \/ Vault PKI<\/strong> \u7b49\u81ea\u52a8\u5316\u65b9\u6848\uff1b\u6839 CA \u79bb\u7ebf\u4fdd\u5b58\uff0c\u4e2d\u7ea7 CA \u5728\u7ebf\u6258\u7ba1\u5e76\u5ba1\u8ba1\u3002<\/p>\n<\/blockquote>\n<h1>5. Example<\/h1>\n<pre><code>package main\n\nimport (\n    &quot;crypto\/rand&quot;\n    &quot;crypto\/rsa&quot;\n    &quot;crypto\/sha1&quot;\n    &quot;crypto\/x509&quot;\n    &quot;crypto\/x509\/pkix&quot;\n    &quot;encoding\/pem&quot;\n    &quot;fmt&quot;\n    &quot;math\/big&quot;\n    &quot;time&quot;\n)\n\n\/\/ ---- Helpers ----\n\nfunc mustRSA(bits int) *rsa.PrivateKey {\n    key, err := rsa.GenerateKey(rand.Reader, bits)\n    if err != nil {\n        panic(err)\n    }\n    return key\n}\n\nfunc mustCreateCert(template, parent *x509.Certificate, pub *rsa.PublicKey, parentKey *rsa.PrivateKey) []byte {\n    der, err := x509.CreateCertificate(rand.Reader, template, parent, pub, parentKey)\n    if err != nil {\n        panic(err)\n    }\n    return der\n}\n\nfunc pemEncodeCert(der []byte) []byte {\n    return pem.EncodeToMemory(&amp;pem.Block{Type: &quot;CERTIFICATE&quot;, Bytes: der})\n}\n\nfunc pemEncodeKey(key *rsa.PrivateKey) []byte {\n    return pem.EncodeToMemory(&amp;pem.Block{Type: &quot;RSA PRIVATE KEY&quot;, Bytes: x509.MarshalPKCS1PrivateKey(key)})\n}\n\nfunc mustSerial() *big.Int {\n    serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))\n    if err != nil {\n        panic(err)\n    }\n    return serial\n}\n\nfunc subjectKeyID(pub *rsa.PublicKey) []byte {\n    spki, _ := x509.MarshalPKIXPublicKey(pub)\n    sum := sha1.Sum(spki)\n    return sum[:]\n}\n\nfunc printPEM(title string, b []byte) {\n    fmt.Printf(&quot;\\n===== %s =====\\n%s\\n&quot;, title, string(b))\n}\n\nfunc days(n int) time.Time { return time.Now().Add(time.Duration(n) * 24 * time.Hour) }\n\n\/\/ ---- Main flow ----\n\nfunc main() {\n    \/\/ 1) \u751f\u6210 Root CA\uff08\u81ea\u7b7e\uff09\n    rootKey := mustRSA(2048)\n    rootTmpl := &amp;x509.Certificate{\n        SerialNumber:          mustSerial(),\n        Subject:               pkix.Name{CommonName: &quot;Demo Root CA&quot;, Organization: []string{&quot;Acme Corp&quot;}},\n        NotBefore:             time.Now().Add(-time.Hour),\n        NotAfter:              days(3650), \/\/ 10 \u5e74\n        KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,\n        ExtKeyUsage:           []x509.ExtKeyUsage{},\n        BasicConstraintsValid: true,\n        IsCA:                  true,\n        MaxPathLen:            2,\n        SubjectKeyId:          subjectKeyID(&amp;rootKey.PublicKey),\n    }\n    rootDER := mustCreateCert(rootTmpl, rootTmpl, &amp;rootKey.PublicKey, rootKey)\n    rootCert, _ := x509.ParseCertificate(rootDER)\n\n    printPEM(&quot;ROOT CA CERT&quot;, pemEncodeCert(rootDER))\n    printPEM(&quot;ROOT CA KEY&quot;, pemEncodeKey(rootKey))\n\n    \/\/ 2) \u751f\u6210 Intermediate CA\uff0c\u7531 Root \u7b7e\u53d1\n    intKey := mustRSA(2048)\n    intTmpl := &amp;x509.Certificate{\n        SerialNumber:          mustSerial(),\n        Subject:               pkix.Name{CommonName: &quot;Demo Intermediate CA&quot;, Organization: []string{&quot;Acme Corp&quot;}},\n        NotBefore:             time.Now().Add(-time.Hour),\n        NotAfter:              days(3650),\n        KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,\n        BasicConstraintsValid: true,\n        IsCA:                  true,\n        MaxPathLen:            1,\n        SubjectKeyId:          subjectKeyID(&amp;intKey.PublicKey),\n        AuthorityKeyId:        rootCert.SubjectKeyId,\n    }\n    intDER := mustCreateCert(intTmpl, rootCert, &amp;intKey.PublicKey, rootKey)\n    intCert, _ := x509.ParseCertificate(intDER)\n\n    printPEM(&quot;INTERMEDIATE CA CERT&quot;, pemEncodeCert(intDER))\n    printPEM(&quot;INTERMEDIATE CA KEY&quot;, pemEncodeKey(intKey))\n\n    \/\/ 3) \u751f\u6210\u670d\u52a1\u5668\u79c1\u94a5\u4e0e CSR\uff08\u5305\u542b SAN\uff09\n    leafKey := mustRSA(2048)\n    csrTmpl := &amp;x509.CertificateRequest{\n        Subject:  pkix.Name{CommonName: &quot;fanyamin.com&quot;, Organization: []string{&quot;Fanyamin Ltd&quot;}},\n        DNSNames: []string{&quot;fanyamin.com&quot;, &quot;www.fanyamin.com&quot;, &quot;api.fanyamin.com&quot;}, \/\/ SAN\n    }\n    csrDER, err := x509.CreateCertificateRequest(rand.Reader, csrTmpl, leafKey)\n    if err != nil {\n        panic(err)\n    }\n    csr, err := x509.ParseCertificateRequest(csrDER)\n    if err != nil {\n        panic(err)\n    }\n    if err := csr.CheckSignature(); err != nil {\n        panic(fmt.Errorf(&quot;CSR signature invalid: %w&quot;, err))\n    }\n    printPEM(&quot;SERVER CSR&quot;, pem.EncodeToMemory(&amp;pem.Block{Type: &quot;CERTIFICATE REQUEST&quot;, Bytes: csrDER}))\n    printPEM(&quot;SERVER KEY&quot;, pemEncodeKey(leafKey))\n\n    \/\/ 4) \u4e2d\u7ea7 CA \u6839\u636e CSR \u7b7e\u53d1\u670d\u52a1\u5668\u8bc1\u4e66\uff08\u670d\u52a1\u5668\u8bc1\u4e66\u4e0d\u662f CA\uff09\n    leafTmpl := &amp;x509.Certificate{\n        SerialNumber:          mustSerial(),\n        Subject:               csr.Subject, \/\/ \u6cbf\u7528 CSR \u4e3b\u9898\n        NotBefore:             time.Now().Add(-time.Hour),\n        NotAfter:              days(825), \/\/ \u7ea6 27 \u4e2a\u6708\uff0c\u7b26\u5408\u5e38\u89c1\u9650\u5236\n        KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,\n        ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},\n        BasicConstraintsValid: true,\n        IsCA:                  false,\n        DNSNames:              csr.DNSNames, \/\/ \u4ece CSR \u6ce8\u5165 SAN\n        SubjectKeyId:          subjectKeyID(&amp;leafKey.PublicKey),\n        AuthorityKeyId:        intCert.SubjectKeyId,\n    }\n    leafDER := mustCreateCert(leafTmpl, intCert, &amp;leafKey.PublicKey, intKey)\n    leafCert, _ := x509.ParseCertificate(leafDER)\n    printPEM(&quot;SERVER CERT&quot;, pemEncodeCert(leafDER))\n\n    \/\/ 5) \u6784\u5efa\u9a8c\u8bc1\u6240\u9700\u7684\u6839\u4e0e\u4e2d\u7ea7\u6c60\uff0c\u5e76\u9a8c\u8bc1\u8bc1\u4e66\u94fe + \u4e3b\u673a\u540d\n    roots := x509.NewCertPool()\n    roots.AddCert(rootCert)\n\n    inters := x509.NewCertPool()\n    inters.AddCert(intCert)\n\n    \/\/ \u9a8c\u8bc1\uff1a\u4e3b\u673a\u540d www.fanyamin.com \u662f\u5426\u88ab\u8bc1\u4e66\u8986\u76d6\uff08SAN \u4e2d\u5305\u542b\uff09\n    if _, err := leafCert.Verify(x509.VerifyOptions{\n        DNSName:       &quot;www.fanyamin.com&quot;,\n        Roots:         roots,\n        Intermediates: inters,\n    }); err != nil {\n        panic(fmt.Errorf(&quot;verify failed (www.fanyamin.com): %w&quot;, err))\n    }\n    fmt.Println(&quot;\u2713 \u8bc1\u4e66\u94fe\u4e0e\u4e3b\u673a\u540d\u9a8c\u8bc1\u901a\u8fc7\uff1awww.fanyamin.com&quot;)\n\n    \/\/ \u6545\u610f\u7528\u4e00\u4e2a\u672a\u5728 SAN \u4e2d\u7684\u4e3b\u673a\u540d\uff0c\u770b\u770b\u5931\u8d25\u60c5\u51b5\n    if _, err := leafCert.Verify(x509.VerifyOptions{\n        DNSName:       &quot;not-in-san.fanyamin.com&quot;,\n        Roots:         roots,\n        Intermediates: inters,\n    }); err != nil {\n        fmt.Println(&quot;\u2717 \u9884\u671f\u7684\u9a8c\u8bc1\u5931\u8d25\uff08\u4e3b\u673a\u540d\u4e0d\u5728 SAN\uff09\uff1a&quot;, err)\n    } else {\n        panic(&quot;unexpected: verification should have failed for not-in-san.fanyamin.com&quot;)\n    }\n\n    \/\/ 6) \u8865\u5145\uff1a\u8bf4\u660e\u6570\u5b57\u7b7e\u540d\u5728\u94fe\u8def\u9a8c\u8bc1\u4e2d\u7684\u4f53\u73b0\n    fmt.Println(&quot;\\n\u8bf4\u660e\uff1a\u4ee5\u4e0a x509.Verify \u5b9e\u9645\u505a\u4e86\u201c\u7528\u4e0a\u7ea7\u8bc1\u4e66\u516c\u94a5\u9a8c\u8bc1\u4e0b\u7ea7\u8bc1\u4e66\u7b7e\u540d\u201d\u7684\u5de5\u4f5c\uff0c&quot;)\n    fmt.Println(&quot;\u5373\uff1aRoot \u516c\u94a5 \u9a8c\u8bc1 Intermediate \u7684\u7b7e\u540d\uff1bIntermediate \u516c\u94a5 \u9a8c\u8bc1 Leaf \u7684\u7b7e\u540d\uff1b&quot;)\n    fmt.Println(&quot;\u518d\u7ed3\u5408 DNSName \u68c0\u67e5 SAN \u4e0e\u8bc1\u4e66\u6709\u6548\u671f\u3001\u7528\u9014\u7b49\u6269\u5c55\uff0c\u6700\u7ec8\u786e\u5b9a\u662f\u5426\u53ef\u4fe1\u3002&quot;)\n}\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>1. Concepts 1) \u5bc6\u94a5\u5bf9\uff08\u79c1\u94a5 &amp; \u516c\u94a5\uff09 What \u79c1\u94a5\uff1a\u53ea\u5c5e\u4e8e\u6301\u6709\u8005\u7684\u79d8\u5bc6\u6570\u636e\uff1b\u7528\u4e8e\u7b7e\u540d\u6216\u89e3\u5bc6\u3002 \u516c\u94a5\uff1a\u53ef\u516c\u5f00\u5206\u53d1\uff1b\u7528\u4e8e\u9a8c\u7b7e\u6216\u52a0\u5bc6\u3002 \u5e38\u89c1\u7b97\u6cd5\uff1aRSA\uff082048\/3072\/4096\uff09\u3001ECDSA\uff08P-256\/384\/521\uff09\u3001Ed25519\uff08\u7b7e\u540d\u53cb\u597d\u3001\u4f53\u79ef\u5c0f\uff09\u3002 Why \u5c06\u201c\u673a\u5bc6\u6027\u201d\u548c\u201c\u8eab\u4efd\/\u5b8c\u6574\u6027\u201d\u5206\u79bb\uff1a\u516c\u5f00\u5206\u53d1\u516c\u94a5\u4e0d\u4f1a\u6cc4\u5bc6\uff1b\u53ea\u6709\u79c1\u94a5\u624d\u80fd\u4ea7\u751f\u53ef\u4fe1\u7b7e\u540d\u3002 \u652f\u6301\u5927\u89c4\u6a21\u3001\u8de8\u7ec4\u7ec7\u7684\u4e92\u8054\u7f51\u4fe1\u4efb\u6a21\u578b\uff08PKI\uff09\u3002 When TLS\/HTTPS\u3001mTLS\u3001JWT \u7b7e\u540d\u3001\u8f6f\u4ef6\u53d1\u5e03\u7b7e\u540d\uff08\u5982\u5bb9\u5668\u955c\u50cf\/\u5305\uff09\u3001SSH \u767b\u5f55\u7b49\u3002 Who \u670d\u52a1\u5668\/\u670d\u52a1\u5b9e\u4f8b\u3001\u53cd\u5411\u4ee3\u7406\u3001\u5ba2\u6237\u7aef\uff08mTLS\uff09\u3001CI\/CD \u7b7e\u540d\u8005\u3001KMS\/HSM \u6258\u7ba1\u65b9\u3001\u5f00\u53d1\u8005\/\u8fd0\u7ef4\u3002 How\uff08\u8981\u70b9 &amp; \u5b9e\u8df5\uff09 \u751f\u6210\u4e0e\u5b58\u653e\uff1a\u4f18\u5148 KMS\/HSM \u6216\u6587\u4ef6\u7cfb\u7edf + \u4e25\u683c\u6743\u9650\uff1b\u907f\u514d\u5c06\u79c1\u94a5\u5199\u5165\u955c\u50cf\u4e0e\u4ee3\u7801\u5e93\u3002 \u7b97\u6cd5\u9009\u62e9\uff1a \u517c\u5bb9\u6027\u4f18\u5148\uff1aRSA-2048\uff1b \u6027\u80fd\u4e0e\u4f53\u79ef\uff1aECDSA P-256\uff1b \u73b0\u4ee3\u7b7e\u540d\uff1aEd25519\uff08\u4f46\u770b TLS\/\u5e93\u517c\u5bb9\u6027\uff09\u3002 \u5907\u4efd\u4e0e\u8f6e\u6362\uff1a\u5b9a\u671f\u8f6e\u6362\uff08\u5982 6\u201312 \u4e2a\u6708\uff09\uff0c\u5e76\u4fdd\u7559\u65e7\u79c1\u94a5\u7528\u4e8e\u5386\u53f2\u6570\u636e\u9a8c\u7b7e\u3002 2) \u6570\u5b57\u7b7e\u540d\uff08Digital Signature\uff09 What \u7528\u79c1\u94a5\u5bf9\u201c\u6570\u636e\u7684\u54c8\u5e0c\u201d\u505a\u7b7e\u540d(\u5373\u7528\u79c1\u94a5\u5bf9\u8fd9\u4e2a\u6458\u8981\u8fdb\u884c\u52a0\u5bc6)\uff0c\u4efb\u4f55\u4eba\u7528\u516c\u94a5\u53ef\u9a8c\u8bc1\u201c\u662f\u8c01\u7b7e\u7684\u3001\u6709\u6ca1\u6709\u88ab\u6539\u201d\u3002 Why \u8bc1\u660e \u8eab\u4efd\uff08\u53ea\u6709\u79c1\u94a5\u6301\u6709\u8005\u80fd\u7b7e\uff09\u3001\u4fdd\u8bc1 \u5b8c\u6574\u6027\uff08\u6570\u636e\u6539\u4e86\u5c31\u9a8c\u4e0d\u8fc7\uff09\u3002 When CA \u7b7e\u53d1\u8bc1\u4e66\uff1bTLS \u63e1\u624b\uff1bJWT\/\u6d88\u606f\/\u5de5\u4ef6\uff08artifact\uff09\u7b7e\u540d\uff1b\u4ee3\u7801\u7b7e\u540d\u3002 Who \u7b7e\u540d\u8005\uff1a\u6301\u79c1\u94a5\u65b9\uff08\u670d\u52a1\u5668\u3001CA\u3001CI\/CD\uff09\u3002 \u9a8c\u7b7e\u8005\uff1a\u6d4f\u89c8\u5668\u3001\u670d\u52a1\u7aef\u3001\u6d88\u8d39\u8005\u3002 How\uff08\u6d41\u7a0b\uff09 [&hellip;] <a class=\"read-more\" href=\"https:\/\/www.fanyamin.com\/wordpress\/?p=2115\" title=\"Permanent Link to: Web Security &#8211; Ceritificate\">&rarr;Read&nbsp;more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-2115","post","type-post","status-publish","format-standard","hentry","category-5"],"_links":{"self":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/2115"}],"collection":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2115"}],"version-history":[{"count":5,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/2115\/revisions"}],"predecessor-version":[{"id":2121,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/2115\/revisions\/2121"}],"wp:attachment":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}