Tls

證書中是否編碼了通用名稱?

  • February 20, 2012

當我像這樣製作證書時

cd /etc/openvpn/easy-rsa/2.0/
source ./vars
. /etc/openvpn/easy-rsa/2.0/build-key client1

然後commonName設置為client1

當我詢問 OpenVPN 伺服器連接的使用者的 commonName 是什麼時,我可以相信使用者沒有commonName在證書中更改他的身份嗎?

更新

我已嘗試更改客戶端和伺服器上 crt 文件中的所有明文,但證書仍然有效,OpenVPN 伺服器仍然以正確的commonNameSubject.

該證書仍然有效,我已經更改了所有純文字。出於安全原因,我刪除了實際證書。

如果commonName並且Subject不是從純文字中提取的。那麼 OpenVPN 從哪裡獲取它們呢?

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 5 (0x5)
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=X, ST=X, L=X, O=X, OU=X, CN=X CA/name=X/emailAddress=X@X.X
       Validity
           Not Before: Jan 12 12:53:47 2012 GMT
           Not After : Apr 11 12:53:47 2012 GMT
       Subject: C=X, ST=X, L=X, O=X, OU=X, CN=X/emailAddress=X@X.X
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:a5:40:a0:e4:44:3e:27:4c:13:69:03:a7:c3:38:
                   4f:dc:43:dc:fb:f5:43:c8:5b:50:8b:7f:0d:f4:d8:
                   30:00:e0:e3:f7:75:1c:3b:e2:08:95:8e:31:cf:a7:
                   6f:e2:94:f4:4d:7c:c4:11:a9:a5:84:1b:95:2b:9a:
                   93:da:ad:34:ae:df:5d:9d:0a:18:b3:df:86:c1:f6:
                   fb:fe:d8:16:64:a9:bf:91:51:8a:54:ba:26:5a:b4:
                   6a:88:c3:52:a7:fa:86:39:08:20:c1:53:3d:f3:12:
                   e1:50:37:11:16:db:99:53:02:82:6f:a0:05:9f:23:
                   ff:bf:79:93:1c:ef:1e:4e:31
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Basic Constraints: 
               CA:FALSE
           Netscape Comment: 
               Easy-RSA Generated Certificate
           X509v3 Subject Key Identifier: 
               89:E7:7A:9B:1F:72:15:91:BD:D0:F4:67:A8:A1:C3:E0:0D:B1:3A:B3
           X509v3 Authority Key Identifier: 
               keyid:75:A6:F1:68:88:53:F5:9B:14:4A:67:00:0B:58:7C:38:1C:A0:A1:F8
               DirName:/C=X/ST=X/L=X/O=X/OU=X/CN=X CA/name=X/emailAddress=X@X.X
               serial:80:D1:56:33:4C:5D:6D:57

           X509v3 Extended Key Usage: 
               TLS Web Client Authentication
           X509v3 Key Usage: 
               Digital Signature
   Signature Algorithm: sha1WithRSAEncryption
       9c:a5:2b:a8:cf:86:60:90:f3:45:80:78:30:89:6a:56:cc:09:
       e8:a4:75:25:af:04:52:8f:15:7b:cd:87:94:f3:c4:2f:99:3f:
       b5:51:f7:e1:de:96:92:ae:0a:77:9e:1f:fb:8a:c3:de:84:3c:
       bb:4f:7f:f1:67:af:0c:1e:b0:90:2c:de:63:f8:47:89:f5:7b:
       57:fe:e4:8d:1d:1e:62:19:27:99:83:99:9f:4d:08:ef:b6:b4:
       7d:56:5d:ca:39:fd:1c:f3:15:6a:da:bc:51:ca:ad:59:7c:af:
       77:72:3c:ca:e7:dc:74:bc:c0:de:2e:f7:b2:27:1b:a7:ae:02:
       0f:9c
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

crt 文件開頭的純文字僅供參考。它所做的一切都以人類可讀的形式呈現在隨後的 Base64 編碼證書的內容中。大多數 PKI 軟體都會忽略資訊文本。

“通用名稱”是 X.500 名稱的一部分;這裡稱為“SubjectDN”,它指定證書中包含的公鑰的所有者。該名稱是證書的一部分,在簽名所涵蓋的部分;因此,它與證書中的任何其他元素一樣值得信賴。

引用自:https://crypto.stackexchange.com/questions/1836