问题
I have a personal, CA issued digital certificate.
How do I make sub-certificates that I will sign with this trusted one?
So the chain would look like this: VeriSign <- Local CA <- ME <- [ Laptop 1, Laptop 2 ]
回答1:
To use your certificate sign a certificate, your certificate must have the x509 Basic Constraints extension.
The reason for this is because a certificate is fundamentally a form of identification, and to issue an ID you need to be accredited so that everybody knows that you're not issuing certificates to random people/servers without checking the identity of people/servers. This would allow you to perform MITM attacks on HTTPS traffic whenever you felt like it (just issue a cert for the domain and away you go).
Yes you could be revoked once people saw you doing it, but revocation in PKI isn't perfect for a two main reasons. Firstly it could take ages for anybody to realise that you're issuing random certs because nothing would look wrong (ignoring certificate pinning because not all browsers do that). Secondly even after it's revoked, most browsers fail soft on revocation information (which means if they can't reach CRLs/OCSP they assume that the cert is fine) and therefore you could just DoS somebody.
You will have to roll your own CA to issue certs and if you want them to be trusted outside of your private domain you will have to follow strict rules about the certificates you issue and undergo regular audits to ensure you are following those rules. If you just want them trusted in a private domain then you don't even need to talk to another CA, you can just install your CA into the trust store of that domain (or onto the individual computers in the domain - depending on your setup).
回答2:
You cannot make sub-certificates, because certificates can be created by Certification Authorities only. X509v3 PKIX profile defines Basic Constraints certificate extension that specifies the certificate owner type: CA or end-entity. Certificate extension absence or Subject Type = End entity means that you are not CA and are not allowed to sign other certificates.
p.s. technically you can sign other certificates, however these certificates will never pass chain validation logic and will be rejected permanently.
though, you can purchase qualified CA certificate from commercial CA and this process is called Certification Authority Root Signing: http://social.technet.microsoft.com/wiki/contents/articles/5973.certification-authority-root-signing.aspx
来源:https://stackoverflow.com/questions/32013515/how-to-create-a-sub-personal-digital-certificate