In a PKI (Public Key Infrastructure) system, proof of identity and ownership of key pairs must be verified before the issuance of a digital certificate (X.509) using asymmetric cryptography. A request is sent by an applicant to a CA (Certificate Authority) in order to obtain a digital certificate. Once the identity has been authenticated by a CA, the applicant is issued a digital certificate. This also authorizes the applicant as a member of the network or ecosystem. This gives members the rights and privileges to transact, store and share data. The certificate acts as part of the member’s digital identity.

在PKI(公共密钥基础结构)系统中，必须在使用非对称密码术颁发数字证书(X.509)之前验证密钥对的身份和所有权证明。 申请人将请求发送到CA(证书颁发机构)以获取数字证书。 一旦CA验证了身份，便会向申请人颁发数字证书。 这也授权申请人为网络或生态系统的成员。 这赋予成员交易，存储和共享数据的权利和特权。 证书是会员数字身份的一部分 。

A digital identity can represent an individual, organization, application or device through the issuance of a digital certificate. The digital certificate contains verified attributes of that representation, which proves the ownership of that identity. These attributes can also contain data that makes up Personally Identifiable Information (PII). The certificate issued by a CA provides authentication, authorization and trust for the digital identity. This provides a way to secure a system against non-members, so it is a trusted and permissioned system. The certificates must be valid for that particular system or else users will not be granted access to any of its resources.

数字身份可以通过颁发数字证书来代表个人，组织，应用程序或设备。 数字证书包含该表示形式的经过验证的属性，可证明该身份的所有权。 这些属性还可以包含构成个人身份信息(PII)的数据 。 由CA颁发的证书为数字身份提供身份验证，授权和信任。 这提供了一种保护系统免受非成员侵害的方法，因此它是一个受信任和允许的系统。 证书必须对该特定系统有效，否则将不授予用户访问其任何资源的权限。

密钥对生成 (Key Pair Generation)

The process begins with the key pair generation. Generating a key pair creates a private key and a public key. The public key is derived from the private key, and is used to create a public address that is exposed in a user’s digital identity. The public address is also associated with a user’s digital wallet or mailbox in a PKI network. A holder must keep their private key secret, but can share their public address and public key information. Knowing the public key and public address does not reveal the private key to other users.

该过程从生成密钥对开始。 生成密钥对会创建一个私钥和一个公钥 。 公钥是从私钥派生的，用于创建以用户数字身份公开的公网地址。 公共地址还与PKI网络中用户的数字钱包或邮箱关联。 持有人必须将其私钥保密，但可以共享其公共地址和公共密钥信息。 知道公共密钥和公共地址不会将私有密钥透露给其他用户。

The private key is used for signing digital signatures which prove the ownership or identity of the user on the network. It is also used for decrypting messages sent to a user, which used their public key for encrypting the message. This is unique, and if a user loses their private key they will not be able to sign or decrypt messages. A private key can also be stolen and used maliciously by hackers to steal data, so it is very important to store it safely.

私钥用于签署数字签名，以证明网络上用户的所有权或身份。 它也用于解密发送给用户的消息，该消息使用其公钥对消息进行加密。 这是唯一的，如果用户丢失了其私钥，他们将无法签名或解密消息。 私钥也可能被黑客窃取并被黑客恶意用来窃取数据，因此安全存储它非常重要。

OpenSSL using the genrsa command generates an RSA private key file. In the example below (for Linux and Mac), a private key is generated using the RSA encryption algorithm using a 2048-bit key length. The key is saved to a file <name>.key on your current working directory.

OpenSSL使用genrsa命令生成RSA私钥文件 。 在以下示例(对于Linux和Mac)中，使用RSA加密算法使用2048位密钥长度生成私钥。 密钥将保存到当前工作目录中的文件<name> .key中。

$ openssl genrsa -out <name>.key 2048

签署要求 (Signing Request)

The next step requires the CSR (Certificate Signing Request) by an applicant. The information contained in a CSR are data attributes about the user which are labeled under DN (Distinguished Names). This can include the user’s name, e-mail address, town or city, country and organizational unit. The data stored in the CSR must be signed by the applicant’s private key and should also contain their public key information. If the CA receiving the CSR requires more information it must also be included with the request.

下一步需要申请人提供CSR(证书签名请求) 。 CSR中包含的信息是在DN(专有名称)下标记的有关用户的数据属性。 这可以包括用户的姓名，电子邮件地址，城镇或城市，国家和组织单位。 CSR中存储的数据必须由申请人的私钥签名，并且还应包含其公钥信息。 如果接收CSR的CA需要更多信息，则它也必须包含在请求中。

There are 3 main parts to a request:

请求包括三个主要部分：

1. Certification Request Information — The user’s data and public key (ASN.1 CertificationRequestInfo)

   认证请求信息 —用户数据和公钥(ASN.1 CertificationRequestInfo)

2. Signature Algorithm Identifier — Identifies the type of signature algorithm used (signatureAlgorithm e.g. RSA, ECDSA, DSA)

   签名算法标识符 -标识所使用的签名算法的类型( signatureAlgorithm，例如RSA，ECDSA，DSA)

3. Digital Signature — Proves the ownership to the public key in the request.

   数字签名 -在请求中证明对公钥的所有权。

The most common format used for encoding a CSR is PKCS (Public Key Cryptography Standards) #10. When the CA receives the request it parses the data and validates the applicant as the owner of the public key based on their digital signature. After a process by the CA verifies the authenticity of the applicant, the CA then issues a certificate to the user which is signed by the CA’s own digital signature.

用于编码CSR的最常见格式是PKCS(公钥密码标准)＃10 。 CA收到请求后，将解析数据并根据其数字签名验证申请人为公钥的所有者。 在由CA进行的过程验证申请人的真实性之后，CA随后向用户颁发由CA自己的数字签名签名的证书。

The following is an example CSR creation:

以下是创建CSR的示例：

$ openssl req -new -key <name>.key -out <name_of_csr>.csr -subj "/CN=<username>/O=<organization_name>"

In the CSR, we send the request using a user private key to generate a “.csr” file with the “-subj” parameter that defines a CN (Common Name) and O (Organization).

在CSR中，我们使用用户私钥发送请求，以生成带有“ -subj”参数的“ .csr”文件，该文件定义了CN(公用名)和O(组织) 。

The following is an example of the contents in a CSR file:

以下是CSR文件中内容的示例：

-----BEGIN CERTIFICATE REQUEST-----MIICaTCCAVECAQAwJDEQMA4GA1UEAwwHc3R1ZGVudDEQMA4GA1UECgwHbGVkcm5lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPEIHprZ4FSG7Km0Cj+Sn22hUTRqibiQxsJSRAfwh3dukdclVqxZ7zne0E8oLcgilWOKl9zbgQAhwqTYAvSmxoyQvG5Uzdv7dsRzKiQH3LHCJT26OXV9g7rAg4WlGwuH85XUwPb2F6006ZYB1T6FPhj3o0UOoBMlZUq8m6xLA9RY3LDGk6K0wdIFV+7Y7DpAEVxaT3wjSpRGAutuh3j7icHtbG6NprKNpBRqm6L5MA42Ti070rQaYAbt28H8ipGA9kWnHSwizkZqhJbrs3f0Ag8o3i0z4ZF/n4QDnF90l+lNVniJGQ75ldJ36beCGm9c5w1R152gkk01lLBTGhBiAs8CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBChMWmkg01nsushpr6gkBHb8MMXL0ASxSNmLC2WGnLHSNtDfYrHW1ofBQZZyNEllUeTKkTQpebWZrtzSpme8qWaGe1XCjnhlMKYYpD4mz8kv0hW+h6WgDWxq+HfzX2WXLySH8ecwJdlrwG8EutVzi7c/zZSwGxZdfOsRr8KfCtZtlBm4pOnG7i9oegimQ8eVDkhi7ZC4Blw1xX6Pzdgl+HWk4ioA22nqrUAeAbnNe/N5nD4vT++pQnZ8PQcLm3JGfJaZ+Mes09rDw00buWz+GL+ZKeRjweiEtLvMN4DCz7inCZ7xIhZOftF5LsS/uCZF0RayNb3DgDQopFKlJnmX1g-----END CERTIFICATE REQUEST-----

编码和发送请求 (Encoding And Sending Request)

Before sending the CSR, it can be encoded in Base64. Some CA servers do not require this, allowing applicants to send the CSR request by copy and pasting it (enclosed in the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST) to a web-based form. The CSR can be viewed and output to “base64” encoding.

发送CSR之前，可以在Base64中对其进行编码。 某些CA服务器不需要这样做，允许申请人通过复制和粘贴CSR请求(包含在BEGIN CERTIFICATE REQUEST和END CERTIFICATE REQUEST中 )将其发送到基于Web的形式。 可以查看CSR并将其输出为“ base64”编码。

$ cat student.csr | base64 | tr -d '\n'

The result will then look like the following:

结果将如下所示：

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FUQ0NBVkVDQVFBd0pERVFNQTRHQTFVRUF3d0hjM1IxWkdWdWRERVFNQTSHQTFVRUNnd0hiR1ZoY201bApjakNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFQRUlIcHJaNEZTRzdLbTBDaitTCm4yMmhVVFJxaWJpUXhzSlNSQWZ3aDNkdWtkY2xWcXhaN3puZTBFOG9MY2dpbFdPS2w5emJnUUFod3FUWUF2U20KeG95UXZHNVV6ZHY5ZHNSektpUUgzTEhDSlQyNk9YVjlnN3JBvTRXbEd3dUg4NVhVd1BiMkY2MDA2WllCMVQ2RgpQaGozbzBVT29CTWxaVXE4bTZ4TEE5UlkzTERHazZLMHdkSUZWKzdZN0RwQUVWeGFUM3dqU3BSR0F1dHVoM2o3CmljSHRiRzhOcHJLTnBCUnFtNkw1TUE0MlRpMDcwclFhWUFidDI4SDhpcEdBOWtXbkhTd2l6a1pxaEpicnMzZjAKQWc4bzNpMHo0WkYvbjRRRG5GOTBsg2xOVm5pSkdRNzVsZEozNmJlQ0dtOWM1dzFSMTUyZ2trMDFsTEJUR2hCaQpBczhDQXdFQUFhQUFNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJDaE1XbWtnMDJuc3VzaHByNmdrQkhiOE1NClhMMEFTeFNObUxDMldHbkxIU050RGZZckhXMW9mQlFaWnlORWxsVWVUS2tUUXBlYldacnR6U3vtZThxV2FHZTEKWENqbmhsTUtZWXBENG16OGt2MGhXk2g2V2dEV3hxK0hmelgyV1hMeVNIOGVjd0pkbHJ3RzhFdXRWemk3Yy96WgpTd0d4WmRmT3NScjhLZkN0WnRsQm00cE9uRzdpOW9lZ2ltUThlVkRrSGk3WkM0Qmx3MXhYNlB6ZGdsK0hXazRpCm9BMjJucXJVQWVBYm5OZS9ONW5ENHZUKytwUW5aOFBRY0xtM0pHZkphWitNZXMwOXJEdzAwYnVXeitHTCtaS2UKUmp3ZWlFdEx2TU40REN6N2luQ1o3eEloWk9mdEY1THNTL3VDWkYwUmF5TmIzRGdEUW9wRktsSm5tWDFFCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=

A YAML file can be created with an encoded certificate request into the “request” field. This creates a certificate signing request object to be sent to the CA server. There is no one template for creating a YAML file. It will depend on what you are requesting from the CA server.

可以使用“请求”字段中的编码证书请求来创建YAML文件。 这将创建一个证书签名请求对象，该对象将被发送到CA服务器。 没有用于创建YAML文件的模板。 这将取决于您从CA服务器请求的内容。

request: <assign the encoded value here>

However way you sent the request, by YAML or via a web form, when the CA server receives the request it will parse the data to perform an integrity check. Once the CA verifies the digital signature and public key, it then authenticates the applicant. The CA then issues a digital certificate to the user that is signed with the digital signature of the CA server.

无论您通过YAML还是通过Web表单发送请求的方式，当CA服务器接收到请求时，它将解析数据以执行完整性检查。 CA验证了数字签名和公共密钥后，便会对申请人进行身份验证。 然后，CA向使用CA服务器的数字签名签名的用户颁发数字证书。

应用领域 (Applications)

Digital certificates are issued by CA servers for different purposes. It can be to issue or renew an SSL certificate for a public web server. It can also be used for authenticating digital identities used in a permissioned network that must verify a user’s identity. When it comes to e-mail encryption, e-signatures and code signing the digital certificate is authenticating a user. For TLS/SSL the authentication is for web servers or other devices. The PKI provides the system to create, store and distribute digital certificates for authentication on a network.

数字证书由CA服务器颁发，用于不同目的。 可以为公共Web服务器颁发或更新SSL证书。 它还可以用于认证必须验证用户身份的许可网络中使用的数字身份。 当涉及到电子邮件加密时 ，数字证书的电子签名和代码签名正在验证用户身份。 对于TLS / SSL，身份验证适用于Web服务器或其他设备。 PKI提供了用于创建，存储和分发数字证书以在网络上进行身份验证的系统。