ca和cert的区别
different between ca and cert
我尝试使用节点 https api 来设置 https 服务器,在 api 文档中:有两个参数让我感到困惑。
ca:
Optionally override the trusted CA certificates. Default is to trust the well-known CAs curated by Mozilla. Mozilla's CAs are completely replaced when CAs are explicitly specified using this option. The value can be a string or Buffer, or an Array of strings and/or Buffers. Any string or Buffer can contain multiple PEM CAs concatenated together. The peer's certificate must be chainable to a CA trusted by the server for the connection to be authenticated. When using certificates that are not chainable to a well-known CA, the certificate's CA must be explicitly specified as a trusted or the connection will fail to authenticate. If the peer uses a certificate that doesn't match or chain to one of the default CAs, use the ca option to provide a CA certificate that the peer's certificate can match or chain to. For self-signed certificates, the certificate is its own CA, and must be provided. For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE", "X509 CERTIFICATE", and "CERTIFICATE".
证书:
Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.
它们有什么区别?正如我所想,https 系统中只有一个客户端 pem 和一个密钥 pem。为什么需要更多的东西,比如 ca 和 cert?
我通过 certbot 生成 pem,生成了四个文件:cert.pem chain.pem fullchain.pem
privkey.pem。 bwtween cert.pem chain.pem fullchain.pem 有什么不同?
ca 是 cert 的颁发者。因此,当我信任 ca 但不知道您的 cert 时,我可以信任它,因为它是由受信任的来源颁发(签名)的。
I generate the pem via certbot, there are four file be generated
你能 post 文件 除了 privkey.pem 应该是私有的吗?
what the different bwtween cert.pem chain.pem fullchain.pem?
通常是这样的:
- cert.pem 包含证书 - public 密钥和元数据(颁发者、序列号、主题、SAN、属性和扩展)。
- privkey.pem 包含您证书的私钥。
- chain.pem 包含您的证书及其颁发者 - 链中可能有更多实例,例如 Root CA -> 子 CA -> 你的证书.
- fullchain.pem 获取您的证书和所有 ca 直到根 ca.
我尝试使用节点 https api 来设置 https 服务器,在 api 文档中:有两个参数让我感到困惑。 ca:
Optionally override the trusted CA certificates. Default is to trust the well-known CAs curated by Mozilla. Mozilla's CAs are completely replaced when CAs are explicitly specified using this option. The value can be a string or Buffer, or an Array of strings and/or Buffers. Any string or Buffer can contain multiple PEM CAs concatenated together. The peer's certificate must be chainable to a CA trusted by the server for the connection to be authenticated. When using certificates that are not chainable to a well-known CA, the certificate's CA must be explicitly specified as a trusted or the connection will fail to authenticate. If the peer uses a certificate that doesn't match or chain to one of the default CAs, use the ca option to provide a CA certificate that the peer's certificate can match or chain to. For self-signed certificates, the certificate is its own CA, and must be provided. For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE", "X509 CERTIFICATE", and "CERTIFICATE".
证书:
Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.
它们有什么区别?正如我所想,https 系统中只有一个客户端 pem 和一个密钥 pem。为什么需要更多的东西,比如 ca 和 cert?
我通过 certbot 生成 pem,生成了四个文件:cert.pem chain.pem fullchain.pem
privkey.pem。 bwtween cert.pem chain.pem fullchain.pem 有什么不同?
ca 是 cert 的颁发者。因此,当我信任 ca 但不知道您的 cert 时,我可以信任它,因为它是由受信任的来源颁发(签名)的。
I generate the pem via certbot, there are four file be generated
你能 post 文件 除了 privkey.pem 应该是私有的吗?
what the different bwtween cert.pem chain.pem fullchain.pem?
通常是这样的:
- cert.pem 包含证书 - public 密钥和元数据(颁发者、序列号、主题、SAN、属性和扩展)。
- privkey.pem 包含您证书的私钥。
- chain.pem 包含您的证书及其颁发者 - 链中可能有更多实例,例如 Root CA -> 子 CA -> 你的证书.
- fullchain.pem 获取您的证书和所有 ca 直到根 ca.