用户需要查阅一个特别关贸总协定网站,以核实其证书上的两条内容:
- They must check that the certificate is genuine, issued by a trusted authority (and valid for this purpose). This is the PKI model, specified in RFC 5280.
- They must check that the certificate was issued to the entity they are trying to contact. This is the host name verification, specified in RFC 2818 Section 3.1 (and later in RFC 6125).
通过对客户建立一个信托机构(委托CA证书)进行配置,处理公用钥匙基础结构的核查。 如果您的证明是被贵处所信任的协会签发的,你就没有必要做任何事情。 如果你必须安装“CA”证书,确保证书在机关仓库(而不仅仅是用户仓库)中也能使用,因为您的申请可能作为服务(而不是特定用户)。
The identity verification relies on the identity you re trying to contact (host name or IP address) and the identity to which the certificate has been issued. They must match. The rules are in RFC 2818 Section 3.1, in particular:
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
[......]
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
服务器可在内部对多种东道名称和IP地址做出回应,例如www.example.com,192.168.1.100, localhost,127.0.0.1。 你的证明必须有效,才能在东道国/国际移民组织地址再次试图与之联系。
颁发给<代码> 当地<>/代码>或127.0.0.1>的证明很少意义,因此,我怀疑你拥有哪些证书,而且由于这一原因,没有把客户编为<代码>https:// localhost/...。
有可能获得<代码>192.168.1.100的证明,但卫生部有IP(不是DNS)这一地址的替代名称。 (鉴于它是一个私人地址,它不太可能发生。)
It s possible that you need to configure your service to use the visible host name (the one for which your certificate was probably issued): www.example.com (or whatever it is). There might be problems if you re hosting this service behind a reverse NAT.
