Self-issued certificates are CA certificates in which
the issuer and subject are the same entity. Self-issued certificates
are generated to support changes in policy or operations. Self-
signed certificates are self-issued certificates where the digital
signature may be verified by the public key bound into the
certificate. Self-signed certificates are used to convey a public
key for use to begin certification paths.
无论您希望自己的 CA 是自签名还是自发行,都由您选择。这样做通常是有意义的(至少为了清楚起见)。原则上,远程方用作信任锚的 CA 证书不必是自签名的(参见第 6 节):
The selection of a trust anchor is a matter of policy: it could be
the top CA in a hierarchical PKI, the CA that issued the verifier's
own certificate(s), or any other CA in a network PKI. The path
validation procedure is the same regardless of the choice of trust
anchor.
以下是RFC 5280(第 3.2 节)中的定义:
所以是的,根据定义,由于自签名证书是特定的自颁发证书,其颁发者 DN 必须与其主题 DN 匹配。
(此主题 DN 是否需要在 CSR 中是另一回事,因为 (a) CA 在将 CSR 转换为证书时没有任何义务保持准确的主题 DN(实际上他们应该检查他们放入的所有内容)通过另一种方式获得证书)和(b)将 CSR 转换为自签名证书的步骤更多地与如何
openssl使用以及如何配置有关。这实际上只是一个细节。)无论您希望自己的 CA 是自签名还是自发行,都由您选择。这样做通常是有意义的(至少为了清楚起见)。原则上,远程方用作信任锚的 CA 证书不必是自签名的(参见第 6 节):