数字证书中签名和指纹的区别
2019-08-27 13:37 雨林 阅读(3381) 评论(1) 编辑 收藏 举报签名和指纹都是数字证书的标识,二者有什么区别呢? 国内没有人解释清楚了这个问题
下面是老外给的答案:
签名和指纹完全是两码事。对于证书的强度拇指指纹是无关的,但签名是相关的。
证书的签名是颁发者通过签名证书创建的东西。TLS堆栈(浏览器内部)使用此签名来验证信任链。这里使用一个强大的算法很重要,这样就没有人可以创建一个假证书,它看起来像是由受信任的颁发者(CA)签名的。
指纹只是证书上的散列。主要用于人工接收,检查证书是否为预定证书,比如 打电话给 CA认证机构 并说出指纹进行核对。 浏览器是通过签名来验证证书的有效性的,浏览器不会关注指纹。
或者通常用于自签名证书,因为没有可信的颁发者,所以浏览器不能自己验证证书,所以用户应该根据预期手动验证证书。
signature and thumbprint are totally different things. For strength of the certificate thumbprint is irrelevant but signature is relevant.
The signature of a certificate is the thing the issuer creates by signing the certificate. This signature is used by the TLS stack (inside the browser) to validate the trust chain. It is important to use a strong algorithm here so that nobody can create a fake certificate which looks like it was signed by a trusted issuer (CA).
The thumbprint is just a hash over the certificate. It is mainly intended for human reception, i.e. check that the certificate is the intended one. This is usually used with self-signed certificates where the browser can not validate the certificate by itself since there is no trusted issuer and so the user should verify the certificate manually against the expected one.
A certificate has only a single signature since it has only a single issuer. But you often find multiple thumbprints for the certificate, i.e. one with MD5, one with SHA-1 and one with SHA-256. This is because the browser does not know which one you got for manual verification and that's why it offers you the most common versions.
What will be the identification of my certicate SHA1/SHA2?
The identification is the certificate itself, i.e. neither the signature not the thumbprint. But if you mean the "this certificate was signed with ...." part than this is SHA-256 in your case since what counts is the signature and not some thumbprint.
https://www.thesslstore.com/blog/ssl-certificate-still-sha-1-thumbprint/
