RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
发布日期: 2008年5月
状态: 标准跟踪协议 (Standards Track)
作者: D. Cooper (NIST), S. Santesson (Microsoft), S. Farrell (Trinity College Dublin), S. Boeyen (Entrust), R. Housley (Vigil Security), W. Polk (NIST)
废止: RFC 3280, RFC 4325, RFC 4630
摘要 (Abstract)
本文档为互联网使用定义了X.509 v3证书 (X.509 v3 Certificate) 和X.509 v2证书撤销列表 (Certificate Revocation List, CRL) 的配置文件 (Profile)。本文档提供了该方法和模型的概述作为引言。详细描述了X.509 v3证书格式,并提供了关于互联网名称形式的格式和语义的附加信息。描述了标准证书扩展,并定义了两个互联网特定扩展。规定了一组必需的证书扩展。详细描述了X.509 v2 CRL格式以及标准和互联网特定扩展。描述了X.509证书路径验证算法。在附录中提供了ASN.1模块和示例。
目录 (Table of Contents)
主要章节
- 1. Introduction (简介)
- 2. Requirements and Assumptions (需求和假设)
- 2.1 Communication and Topology (通信和拓扑)
- 2.2 Acceptability Criteria (可接受性标准)
- 2.3 User Expectations (用户期望)
- 2.4 Administrator Expectations (管理员期望)
- 3. Overview of Approach (方法概述)
- 3.1 X.509 Version 3 Certificate (X.509版本3证书)
- 3.2 Certification Paths and Trust (证书路径和信任)
- 3.3 Revocation (撤销)
- 3.4 Operational Protocols (操作协议)
- 3.5 Management Protocols (管理协议)
- 4. Certificate and Certificate Extensions Profile (证书和证书扩展配置)
- 4.1 Basic Certificate Fields (基本证书字段)
- 4.2 Certificate Extensions (证书扩展)
- 5. CRL and CRL Extensions Profile (CRL和CRL扩展配置)
- 5.1 CRL Fields (CRL字段)
- 5.2 CRL Extensions (CRL扩展)
- 5.3 CRL Entry Extensions (CRL条目扩展)
- 6. Certification Path Validation (证书路径验证)
- 6.1 Basic Path Validation (基本路径验证)
- 6.2 Using the Path Validation Algorithm (使用路径验证算法)
- 6.3 CRL Validation (CRL验证)
- 7. Processing Rules for Internationalized Names (国际化名称处理规则)
- 7.1 Internationalized Names in Distinguished Names
- 7.2 Internationalized Domain Names in GeneralName
- 7.3 Internationalized Domain Names in Distinguished Names
- 7.4 Internationalized Resource Identifiers
- 7.5 Internationalized Electronic Mail Addresses
- 8. Security Considerations (安全考虑)
- 9. IANA Considerations (IANA考虑)
- 10. Acknowledgments (致谢)
- 11. References (参考文献)
- 11.1 Normative References (规范性参考文献)
- 11.2 Informative References (信息性参考文献)
附录 (Appendices)
- Appendix A. Pseudo-ASN.1 Structures and OIDs (伪ASN.1结构和OID)
- A.1 Explicitly Tagged Module, 1988 Syntax
- A.2 Implicitly Tagged Module, 1988 Syntax
- Appendix B. ASN.1 Notes (ASN.1说明)
- Appendix C. Examples (示例)
- C.1 RSA Self-Signed Certificate
- C.2 End Entity Certificate Using RSA
- C.3 End Entity Certificate Using DSA
- C.4 Certificate Revocation List
相关资源
- 官方原文: RFC 5280
- 官方页面: RFC 5280 DataTracker
- 勘误表: RFC Editor Errata
- 更新: RFC 6818, RFC 8398, RFC 8399
关键概念速览
什么是X.509证书?
X.509证书是一种数字文档,用于在互联网上证明身份和建立安全通信。它是HTTPS、TLS/SSL、代码签名、电子邮件加密等技术的基础。
核心作用:
- 身份验证: 证明"你是谁"
- 公钥分发: 安全地分发公钥
- 信任链: 通过证书颁发机构 (CA) 建立信任
证书的基本结构
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING
}
主要扩展
- Key Usage (密钥用途): 定义证书公钥的用途
- Extended Key Usage (扩展密钥用途): 更具体的用途说明
- Subject Alternative Name (SAN): 支持多个域名/IP
- Basic Constraints: 标识是否为CA证书
- CRL Distribution Points: 证书撤销列表下载地址
证书撤销
CRL (Certificate Revocation List): 由CA维护的已撤销证书列表
OCSP (Online Certificate Status Protocol): 实时检查证书状态的协议
重要性: RFC 5280是互联网PKI的核心标准,定义了如何使用X.509证书来保护互联网通信。理解本规范对于实现安全的TLS/SSL、代码签名、电子邮件加密等系统至关重要。