如何制作h5页面_微信h5是什么_h5模板设计_免费好用的h5制作软件_互动h5
当前位置:建站首页 > 新闻资讯 > 网站优化 >

还在纠结做什么小程序-Google Ma凡科抠图 Platform

发表日期:2021-04-18 16:49文章编辑:jianzhan浏览次数: 标签:    

--------

还在纠结做什么小程序

-------What is happening? Key Point: In late 2017 Google started a multi-year migration to its own root certificateauthority Google Trust Services. The root certificate authority is to verify the security of all TLS/SSL connections to the Google Ma凡科抠图 Platform. The vast majority of clients will not be affected by this change but owners of some applications may need to verify and update their client services to ensure a smooth transition through the entire migration by following mendations in this document.
Google is working on a multi-year plan to issue and use its own root certificates, the cryptographic signatures which are the basis of TLS/ security used by HTT凡科抠图. Currently, the TLS security of the Google Ma凡科抠图 Platform is guaranteed by a root certificate issued by GeoTrust Global CA, a very well known and widely trusted certificate authority (CA) which is owned by Symantec. Practically all TLS clients (such as Web browsers, smartphones, and application servers) are aware of this root certificate, and therefore can use it to ensure that they have a secure connection to the Google Ma凡科抠图 Platform servers. By the early 2020s, Google plans to migrate all Google Ma凡科抠图 Platform services to a root certificate issued by Google's own certificate authority, Google Trust Services (GTS). As an interim step, in early 2018 Google Ma凡科抠图 Platform migrated to another widely-trusted root certificate from GlobalSign (GS). Google has purchased the use of this root certificate (and the CA that GlobalSign used to issue it) in order to ease the certificate transition. The vast majority of TLS clients already recognise the GlobalSign root certificate, so their usage of the Google Ma凡科抠图 Platform will not be affected by this initial change. However, especially in some specialist use cases such as embedded devices, or users working with very outdated legacy browsers or operating systems, it is possible that some clients will lack the GlobalSign root certificate. These clients will need to be updated with the certificate in order to be able to secure their Google Ma凡科抠图 Platform connections. It is not possible for Google to identify these clients, so application owners must carry out any necessary verification on their own applications. Google Trust Services provides HTT凡科抠图 test endpoints at GTS site to help with this. See below for more technical details. The same will likely apply to most systems by the time the migration to GTS root certificates begins, but following mendations in this document should generally ensure a smooth migration even for specialist systems.
Technical summary Key Point: The Google Ma凡科抠图 Platform frontends transitioned to using the "GlobalSignRoot R2" certificate authority in early 2018. Application developers shouldexpect that their Google Ma凡科抠图 Platform clients will authenticate against thisroot CA. In the long term, developers should anticipate that clients willauthenticate against root certificates from Google Trust Services, and possibly for aninterim period at least against the "GlobalSign Root R3" CA.

As announced in the Google Ma凡科抠图 Platform Premium Plan customer support portal onMarch 16 2017, and earlier on the GoogleSecurity Blog, Google has created its own root CA, GTS. Along with other Google services, the Google Google Ma凡科抠图 Platform will gradually transition to TLS certificates signed by GTS root CAs. As an interim step, Google has purchased the existing, widely-trusted GS Root R2 CA. The Google Ma凡科抠图 Platform started migrating from the GeoTrust root certificate to this certificate in late 2017, finishing the migration in early 2018. Almost all TLS clients are preconfigured with the GS Root R2 certificate or receive it via normal software updates, but, if an application connects to the Google Ma凡科抠图 Platform from clients that may not recognize this certificate, the application developers should ensure that the clients are tested and if necessary updated with the certificate. The GS Root R2 certificate and all GTS root certificates are available via the GTS site. For testing purposes, the GTS site also provides endpoints with TLS certificates signed by each CA. In particular, if your client can establish a TLS connection to GS Root R2 test endpoint then it trusts the GS Root R2 certificate and should not be affected by ing change. Google will rely on GS Root R2 CA at least through the end of 2018. After that, the Google Ma凡科抠图 Platform may transition directly to the GTS CA, or may on occasion fall back to third-party root CAs including GSRoot R3 CA. Key pletely future-proof your application, mendyour applications trust all root certificates listed in the Google sample PEM file. This file includes all CAs that may plausibly be used by Google services in the foreseeable future.
How do I get updates on this migration process? Star public issue for updates. This FAQ is also updated throughout the migration process, whenever we encounter topics that may be of general interest.
We use multiple Google services. Will the root CA migration affect all of them? Yes, the root CA migration will happen across all Google services and APIs, but the timeline may vary per service. However, once you have verified that your application trusts mended set of root certificates listed in the Google sample PEM file, your application should be future proof during the root certificate migration, no matter which Google API or service it might call. See question Should I installall root certificates from the Google sample PEM file? for further details. How do I verify if my certificate store needs an update Test your application environment against the test endpoints listed together with each of the root CAs on the GTS site. If you are able to establish a TLS connection to the GS Root R2 test endpoint and Google certificate test sandbox, you will be fine at least through the end of 2018. Caution: We may ing years on occasion fall back tothird-party root CAs, including GSRoot R3 (verifiable using the GS Root R3 test endpoint), so unless you already are able to connect to all of the below test endpoints, you will still have to update your certificate store within the next few years:
Therefore, we mend that you install now all certificates from the Google sample PEM file to future proof your system, unless you are certain that you will always manage to keep your pletely up to date and patched up. Warning: If you fail to connect to the GS Root R2 test endpoint or Google certificate test sandbox, you need to update your certificate store immediately.
mand line tool curl, available on most platforms, offers extensive options for testing your setup. For instructions getting curl, see section Getting curl. Note: See question How do Iinterpret the curl output correctly and ensure the results are reliable? to make sure you connect using the correct root certificate store, and interpret the output correctly. Also see section Managing your trusted certificates, if you need to export or import certificates.
$ curl -vvI $ openssl s_client -connect :443 -showcerts /dev/null 2 /dev/null $ openssl s_client -connect cert-test.:443 -showcerts /dev/null 2 /dev/null
Verifying the Google Root CA bundle Download the Google sample PEM file, then follow the ste凡科抠图 below:

# Google certificate test sandbox
$ curl -vvI --cacert roots.pem 
# GS Root R2
$ curl -vvI --cacert roots.pem 
# GS Root R4
$ curl -vvI --cacert roots.pem 
# GS Root R3
$ curl -vvI --cacert roots.pem 
# GTS Root R1
$ curl -vvI --cacert roots.pem 
# GTS Root R2
$ curl -vvI --cacert roots.pem 
# GTS Root R3
$ curl -vvI --cacert roots.pem 
# GTS Root R4
$ curl -vvI --cacert roots.pem 
$ openssl s_client -CAfile roots.pem -connect :443 -showcerts /dev/null 2 /dev/null
$ openssl s_client -CAfile roots.pem -connect cert-test.:443 -showcerts /dev/null 2 /dev/null

What are the minimum requirements for a TLS municate with Google Ma凡科抠图 Platform? Please refer to section What are mended minimum requirements for a Transport Layer Security (TLS) municate with Google? in the GTS FAQ.

Google Ma凡科抠图 Platform does not impose any additional requirements.


The application uses the system certificate store without any developer imposed restrictions Google Ma凡科抠图 Platform web service applications If you are using a mainstream OS, e.g., Ubuntu, Red Hat, Windows 7+ or Server 2008+, OS X) that is still maintained and receives regular updates, your default certificate store should already include the GS Root R2 certificate. If you are using a legacy OS version that no longer receives updates, you may or may not have the GS Root R2 certificate. For example, Windows XP SP2 includes the certificate, but Windows XP SP1 does not. Legacy devices should be tested to ensure that they trust the certificate. For mobile applications calling Google Ma凡科抠图 Platform web services directly from the end user device, guidelines from question Are mobile applications at risk ofbreaking? apply. Note: Even if your application can cope with the first phase ofthe migration without any certificate updates, we mend futureproofing your application now in one go. See question Should I installall root certificates from the Google sample PEM file? for further details.
Google Ma凡科抠图 JavaScript API applications generally rely on the root certificates of the web browser running the application. See section Are Google Ma凡科抠图 JavaScriptAPI applications at risk of breaking? for more further details. For native mobile applications, both on Android and iOS, using either the Google Ma凡科抠图 or Places SDKs, the same rules apply as for ap凡科抠图 calling the Google Ma凡科抠图 Platform web services. See question Are mobileapplications at risk of breaking? for more details.
The application uses its own certificate bundle, or uses advanced security features, such as certificate pinning You will need make sure to update your certificate bundle yourself. As discussed under question Should I installall root certificates from the Google sample PEM file?, mend you import all root certificates from the Google sample PEM file into your certificate store. If you are pinning certificates or public keys for the Google domains your application connects to, you should add the certificates and public keys to the list of trusted entities in your application. rmation about certificate or public key pinning, refer to the external resources listed under question ?.
If you wish to future proof your system now in one go, mend that you install all certificates from the Google sample PEM file, especially if you do not regularly and routinely apply operating system updates to your system, or if you for example maintain your own certificate bundles for your application.
Why should I not install any intermediate CA certificates? Warning:You should never configure your services to explicitly trust any intermediate CA! Doing sowill risk breaking your application at any point we enroll a new intermediatecertificate, which may happen at any time and without any prior notice.

You should only install the root certificates from the Google sample PEM file, and rely on the root certificate to verify the authenticity of the entire certificate chain anchored to it. This applies equally to individual server certificates (e.g. those served by the host ), as well as any of our intermediate CAs (e.g. GIAG3, GTS CA 1O1 or GIAG4). Any modern TLS library implementation should be able to automatically verify such chains of trust, as long as the root certificate authority is trusted.
The GlobalSign R2 root CA is well embedded, and trusted by most modern browsers. Therefore, it is likely that these browsers will continue to be able to connect to Google services for some time. If the browser is actively maintained, it is also almost certain that it will at some point also support all other Google root CAs. However, the Google Ma凡科抠图 JavaScript API itself is only guaranteed to work on supportedbrowsers, so mend using one of the listed browsers and keeping the browser up to date to ensure problem free use. Note: Your browser might not yet trust the newly-created GTSRoot CAs, so make sure to keep your browser updated to avoid any root CAmigration related service interruptions in the future. Every modern browsershould allow end users to verify which certificates it trusts. Although theexact location differs with each browser, the list of certificates can typicallybe found somewhere under Settings.Are mobile applications at risk of breaking?

Android and Apple devices still receiving regular updates from the devicemanufacturer are also expected to be future proof. Most older Android phonemodels already include at least both the GS Root R2 and GS Root R3 certificates,although the list of trusted certificates may vary per handset manufacturer,device model and Android version. Newer Android Open Source Project (AOSP)versions used on Google Nexus and Pixel branded devices also trust GS Root R4by default. Support for the GTS Root CAs is still minimal in any of the releasedAndroid versions.

Caution:As individual handset manufacturers may have chosen to include different sets oftrusted root certificates, the most reliable way to verify which root certificates areavailable on an Android device is for the end user to verify this themselves. All Androidversions starting from Android Ice Cream Sandwich (4.0) should offer the list oftrusted root CAs under settings, although the actual path may vary.

For iOS devices, Apple maintains a list of trusted root CAs for each recent iOSversion on its support pages. However, all iOS versions 5 and up support GSRoot R2 and R3, versions 7 and up also GS Root R4. As with current Android versions,GTS Root CAs are not yet supported at the time of writing.

See section How can I check thetrusted root certificates on my mobile phone? for further details. Note: Mobile applications using certificate or public municating with Google Services should be updated, as discussedin section Theapplication uses its own certificate bundle, or uses advanced security features, such as certificate pinning.
When will my browser or operating system include the Google Trust Services root certificates? Google is working with all major third parties maintaining widely used and trusted root certificate bundles. Examples include operating system manufacturers, such as Apple and Microsoft, but also Google's own Android and ChromeOS teams; browser developers, such as Mozilla, Apple, Microsoft, but also Google's own Chrome team; manufacturers of hardware, such as phones, set-top boxes, TVs, game consoles, printers, just to name a few. As third-party certificate inclusion timelines are largely beyond the control of Google, the best general advice we can offer is to make sure you regularly apply available system updates. Select third parties, such as Mozillaʼs CA Certificate Program may have documented their own certificateinclusion timelines.
If your OS distribution doesn't provide curl, you can download it from . You can either download the pile the tool yourself or download piled binary, if one is available for your platform.
If your OS distribution doesn't provide openssl, you can download the source from pile the tool. A list of binaries build by 3rd parties can be found via . However, none of these builds are supported or in any specific way endorsed by the OpenSSL team.
Getting Wireshark and tcpdump While most Linux distributions offer both tools, piled versions of wireshark for other OSs can be found at /.
mand line tool should be shipped with every Java Development Kit (JDK) or Java Runtime Environment (JRE) version. Install these to get keytool. However, using keytool is unlikely necessary for root certificate verification, unless your application is built using Java.
What to do in a production outage? The primary course of action for you is to install the required root certificates from the Google sample PEM file into the certificate trust store your application uses. Note: This method varies per operating system, possibly eventhe SSL/TLS library your application uses. Therefore, please always first referto your system documentation!However, you may still rmation in section Managing your trusted certificates. Work together with your system administrators to upgrade your local certificate store. Check this FAQ for pointers applicable to your system. If you need further platform- or system-specific assistance, reach out to the technical support channels offered by your system provider. For general assistance, reach out to our support team, as described in section Reaching out to Google Ma凡科抠图 Platform support. Note: For platform-specific issues, guidance is only provided on a besteffort basis.Star public issue for further migration related updates.
See question How do I verify ifmy certificate store needs an update for generic troubleshooting instructions. Section Managing your trusted certificates may also rmation, if you need to import or export root certificates. If the issue is not resolved, and you decide to reach out to Google Ma凡科抠图 Platform support, be prepared to also provide rmation: Where are your affected servers located? Which Google IP addresses is your service calling? Which API(s) are affected by this issue? When exactly did the issue start? Outputs of mands:

# Google Ma凡科抠图 Platform service
$ curl -vvI 
# Google Search site
$ curl -vvI 
# Google certificate test sandbox
$ curl -vvI 
# GS Root R2
$ curl -vvI 
# GS Root R3
$ curl -vvI 
# GTS Root R1
$ curl -vvI 
$ openssl s_client -connect :443 -showcerts /dev/null 2 /dev/null
$ openssl s_client -connect cert-test.:443 -showcerts /dev/null 2 /dev/null

For instructions getting the required tools, see question Where can I get the tools I need?.
When filing a support case, in addition to the data listed in section Initial troubleshooting, please also provide the following: What are your public IP addresses? What is the public IP address of your DNS server? If possible, a tcpdump or Wireshark packet capture of the failed TLS negotiation against (pcap format using a sufficiently large sna凡科抠图hot length to capture the entire packet without truncating it) If possible, logs excerpts from your service showing the exact TLS connection failure reason, preferably with full server rmation. For instructions getting the required tools, see question Where can I get the tools I need?.
How can I determine the public address of my DNS? On Linux, you can run mand:
dig -t txt o-o.myaddr.
On Windows you can use nslookup in interactive mode:
C:\> nslookup -
set type=TXT
o-o.myaddr.

How do I interpret the curl output correctly and ensure the results are reliable? Running curl with the -vvI flags provides much useful information. Here are a few instructions for interpreting the output: Lines starting with '*' display output from the TLS negotiation, as well as rmation. Lines starting with ' ' display the outgoing HTTP request that curl sends. Lines starting with ' ' display the HTTP response it gets from the server. If the protocol was HTT凡科抠图, the presence of ' ' or ' ' lines imply essful TLS handshake.
Running curl with the -vvI flags also prints out the used certificate store, but the exact output may vary per system as shown below. Output from a Red Hat Linux machine with curl linked against NSS may contain these lines:
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
 CApath: none
Output from an Ubuntu or Debian Linux machine may contain these lines:
* successfully set certificate verify locations:
* CAfile: none
 CApath: /etc/ssl/certs
Output from an Ubuntu or Debian Linux machine using the Google root certificate PEM file given using the --cacert flag may contain these lines:
* successfully set certificate verify locations:
* CAfile: /home/ username /Downloads/roots.pem
 CApath: /etc/ssl/certs
Caution: There are multiple widely used SSL/TLS libraries (seecomparison table on the curl site), which may all be configured to use different root certificate bundles/certificate stores. If curl has been linked against a different SSL/TLS library that your application, you might wish to double check that both point to the same certificate store for the test results pletely reliable. Note: If you maintain your own certificate bundle for yourapplication or the application just uses a different store thancurland you wish to verify the one used by yourapplication, you can export the certificates from that store into a PEM file,which you can pass to curl using the --cacert flag.See section Managing your trusted certificates.
Outgoing requests contain the User-Agent header that may provide useful information about curl and your system. An example from a Red Hat Linux machine:
 HEAD / HTTP/1.1
 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
 Host: cert-test.
 Accept: */*

Failed TLS handshake Lines, such as the ones below indicate the connection was terminated mid-TLS-handshake because of an untrusted server certificate. The absence of debug output starting with ' ' or ' ' are also strong indicators of essful connection attempt:
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0

Successful TLS handshake essful TLS handshake is indicated by the presence of similar looking lines to the ones below. The cipher suite used for the encrypted connection should be listed, as should details of the accepted server certificate. Furthermore, the presence of lines starting with ' ' or ' ' indicate that payload HTTP traffic is essfully transmitted over the TLS encrypted connection:
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.
* start date: Jul 29  2019 GMT
* expire date: Oct 27  2019 GMT
* subjectAltName: host "" matched cert's "*."
* issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
* SSL certificate verify ok.
 HEAD / HTTP/1.1
 User-Agent: curl/7.64.0
 Host: 
 Accept: */*
 HTTP/1.1 302 Found

How do I print the received server certificates in human readable form? Presuming the output is PEM formatted, e.g. the output from openssl s_client ... -showcerts, you can print out the served certificate following the below ste凡科抠图: Copy the entired Base 64 encoded certificate, including header and footer:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Certificate chain 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = *. i:C = US, O = Google Trust Services, CN = GTS CA 1O1 -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1 i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Server certificate subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = *. issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1
As mentioned under question Are mobileapplications at risk of breaking?, Android has since version 4.0 allowed handset users to verify the list of trusted certificates under Settings. The table below shows the exact Settings menu path:
8.x, 9 Settings  Security Location  Encryption credentials  Trusted credentials
Settings  Security Advanced  Encryption credentials  Trusted credentials
The table below illustrates the likely availability of the most critical root certificates per Android version, based on manual verification using currently available Android Virtual Device (AVD) system images, falling back to the AOSP ca-certificates Git repository version history whenever system images are no longer available:
Updating the Android system certificate store is generally not possible without a firmware update or rooting the device. However, the current set of trusted root certificates on most still widely used Android versions is likely to provide uninterrupted service for multiple years to come, beyond the effective lifetime of most currently existing devices. Beginning with version 7.0, Android offers application developers a secure method for adding trusted certificates which are only trusted by their application. This is done by bundling the certificates with the application and creating work security configuration, as described in the Android Best Practices for Security Privacy Network SecurityConfiguration training document. However, as third-party application developers will not be able to work security configuration of traffic originating from the GooglePlay Services APK, such efforts would likely only provide a partial workaround. On older legacy devices, your only available option would be to rely on user-added CAs, either installed by a corporate group policy applied to the end user device, or by the end users themselves.
While Apple does not directly show its default set of trusted root certificates to the handset user, pany has links to the sets of trusted root CAs for iOS versions 5 and up from the Apple Support articles Lists of available trusted rootcertificates in iOS and iOS 5 and iOS 6: Listof available trusted root certificates. However, any additional certificates installed on the iOS device should be visible under Settings  General  Profile. If no additional certificates are installed, the Profile menu item may not be displayed. The table below illustrates the availability of the most critical root certificates per iOS version, based on the above sources:
The location of the default certificate store varies with operating system and used SSL/TLS library. However, on most Linux distributions, the default root certificates can be found under one of the following paths: /usr/local/share/ca-certificates (Debian, Ubuntu, older RHEL and CentOS versions) , /etc/pki/ca-trust/source/anchors and /usr/share/pki/ca-trust-source (Fedora, newer RHEL and CentOS versions) or /var/lib/ca-certificates (OpenSUSE). Other certificate paths may include /etc/ssl/certs (Debian, Ubuntu) or /etc/pki/tls/certs (RHEL, CentOS). Some of the certificates in these directories are likely symbolic links to files in other directories. Caution: Just adding a new certificate to these paths may not beenough. To reconfigure your system to start using them, you will likely need torun mand, such as /usr/sbin/update-ca-certificates(Debian, Ubuntu) or /bin/update-ca-trust (Fedora, RHEL andCentOS), which create the actual root certificate bundle that is used.Note: Your application may also have been configured to use acustom certificate store or root certificate bundle, so make sure you update thecorrect one!OpenSSLFor applications using OpenSSL, you can check the configured location of ponents including the default certificate store using the mand:
openssl version -d
mand prints out OPENSSLDIR, which corresponds to the top level directory the library and its configurations can be found under:
OPENSSLDIR: "/usr/lib/ssl"
The certificate store is located in the certs subdirectory. Note: This directory may contain symbolic links that recursively point toother locations, e.g. to the default system certificate store, as in the example below.
$ ls -l /usr/lib/ssl/certslrwxrwxrwx 1 root root 14 Feb 13 2017 /usr/lib/ssl/certs - /etc/ssl/certs$ ls -l /etc/ssl/certs -rw-r--r-- 1 root root 212177 Sep 5 00:45 ca-certificates.crt lrwxrwxrwx 1 root root 62 Sep 5 00:39 GlobalSign_Root_CA_-_R2.pem - /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt 

If OpenSSL relies on the default system certificate store as in the example above, check thetop-level sectionWhere is my systemcertificate store located and how can I update it? to ensure the system root certificate bundle is up to date. For instructions getting openssl, see section Getting OpenSSL.
Mozilla NSS Applications using MozillaNSS may by default also use a system-wide certificate database typically located under /etc/pki/nssdb, or a user-specific default store under ${HOME}/.pki/nssdb. For updating NSS, check out the certutil tool documentation for how to add new certificates, as well as the official OS documentation.
Microsoft .NET Windows .NET developers may find at least the following Microsoft articles useful for updating their certificate store: Workingwith Certificates ManageTrusted Root Certificates
Privacy-Enhanced Mail (PEM) is a de-facto standard textual file format for storing and sending cryptographic certificates, keys, etc., formalized as a de-jure standard in RFC 7468. While the file format itself is human readable, the Base64 encoded binary rmation is not. However, the PEM specficiation permits emitting explanatory text either before or after the text encoded certificate body, and many tools use this feature to also provide a clear-text summary of the most relevant data elements in a certificate. Tools, such as openssl can also be used to decode the entire certificate into human-readable form. See section Howdo I print PEM certificates in human readable form? . What is a ".crt" file? Tools that allow exporting of certificates in PEM format commonly use the file extension ".crt" to indicate the file uses a textual enconding.
Distinguished Encoding Rules (DER) is a standardized binary format for encoding certificates. Certificates in PEM files are typically Base64 encoded DER certificates. What is a ".cer" file? An exported file with a ".cer" suffix may contain a PEM-encoded certificate, but more typically a binary, usually DER-encoded certificate. By convention, ".cer" files generally only contain a single certificate.
My system refuses to import all certificates from roots.pem Some systems only accept importing PEM files that constain a single certificate. See question How do I extract individual certificates from roots.pem? below to see how the file can be split up.
How do I extract individual certifiactes from roots.pem? You can split up roots.pem ponent certificates using the following simple bash script:

csplit -z -f roots.pem. roots.pem '/-----END CERTIFICATE-----/+1' '{*}' /dev/null \
for f in roots.pem.*;\
 do mv "${f}"\
 $(printf %b $(openssl x509 -in ${f} -noout -issuer|sed -e 's/"//g'|sed -e 's#/#_#g')).pem;\
This should create a number of individual PEM files similar to the ones listed below:
issuer=C=BE,O=GlobalSignnv-sa,OU=RootCA,CN=GlobalSignRootCA.pem
issuer=C=GB,ST=GreaterManchester,L=Salford,O=ComodoCALimited,CN=AAACertificateServices.pem
issuer=C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODOCertificationAuthority.pem
issuer=C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODOECCCertificationAuthority.pem
issuer=C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODORSACertificationAuthority.pem
issuer=C=IE,O=Baltimore,OU=CyberTrust,CN=BaltimoreCyberTrustRoot.pem
issuer=C=SE,O=AddTrustAB,OU=AddTrustExternalTTPNetwork,CN=AddTrustExternalCARoot.pem
issuer=C=US,O=AffirmTrust,CN=AffirmTrustCommercial.pem
issuer=C=US,O=AffirmTrust,CN=AffirmTrustNetworking.pem
issuer=C=US,O=AffirmTrust,CN=AffirmTrustPremiumECC.pem
issuer=C=US,O=AffirmTrust,CN=AffirmTrustPremium.pem
issuer=C=US,O=DigiCertInc,OU=,CN=DigiCertAssuredIDRootCA.pem
issuer=C=US,O=DigiCertInc,OU=,CN=DigiCertAssuredIDRootG2.pem
issuer=C=US,O=DigiCertInc,OU=,CN=DigiCertAssuredIDRootG3.pem
issuer=C=US,O=DigiCertInc,OU=,CN=DigiCertGlobalRootCA.pem
issuer=C=US,O=DigiCertInc,OU=,CN=DigiCertGlobalRootG2.pem
issuer=C=US,O=DigiCertInc,OU=,CN=DigiCertGlobalRootG3.pem
issuer=C=US,O=DigiCertInc,OU=,CN=DigiCertHighAssuranceEVRootCA.pem
issuer=C=US,O=DigiCertInc,OU=,CN=DigiCertTrustedRootG4.pem
issuer=C=US,O=Entrust,Inc.,OU=_legal-terms,OU=(c)2009Entrust,Inc.-forauthorizeduseonly,CN=EntrustRootCertificationAuthority-G2.pem
issuer=C=US,O=Entrust,Inc.,OU=_legal-terms,OU=(c)2012Entrust,Inc.-forauthorizeduseonly,CN=EntrustRootCertificationAuthority-EC1.pem
issuer=C=US,O=Entrust,Inc.,OU=_C凡科抠图isincorporatedbyreference,OU=(c)2006Entrust,Inc.,CN=EntrustRootCertificationAuthority.pem
issuer=C=US,O=GeoTrustInc.,CN=GeoTrustGlobalCA.pem
issuer=C=US,O=GoogleTrustServicesLLC,CN=GTSRootR1.pem
issuer=C=US,O=GoogleTrustServicesLLC,CN=GTSRootR2.pem
issuer=C=US,O=GoogleTrustServicesLLC,CN=GTSRootR3.pem
issuer=C=US,O=GoogleTrustServicesLLC,CN=GTSRootR4.pem
issuer=C=US,O=StarfieldTechnologies,Inc.,OU=StarfieldClass2CertificationAuthority.pem
issuer=C=US,O=TheGoDaddyGroup,Inc.,OU=GoDaddyClass2CertificationAuthority.pem
issuer=C=US,ST=Arizona,L=Scottsdale,,Inc.,CN=GoDaddyRootCertificateAuthority-G2.pem
issuer=C=US,ST=Arizona,L=Scottsdale,O=StarfieldTechnologies,Inc.,CN=StarfieldRootCertificateAuthority-G2.pem
issuer=C=US,ST=NewJersey,L=JerseyCity,O=TheUSERTRUSTNetwork,CN=USERTrustECCCertificationAuthority.pem
issuer=C=US,ST=NewJersey,L=JerseyCity,O=TheUSERTRUSTNetwork,CN=USERTrustRSACertificationAuthority.pem
issuer=O=Cybertrust,Inc,CN=CybertrustGlobalRoot.pem
issuer=,OU=_C凡科抠图_2048incorp.byref.(limitsliab.),OU=(Limited,CertificationAuthority(2048).pem
issuer=OU=GlobalSignECCRootCA-R4,O=GlobalSign,CN=GlobalSign.pem
issuer=OU=GlobalSignECCRootCA-R5,O=GlobalSign,CN=GlobalSign.pem
issuer=OU=GlobalSignRootCA-R2,O=GlobalSign,CN=GlobalSign.pem
issuer=OU=GlobalSignRootCA-R3,O=GlobalSign,CN=GlobalSign.pem
issuer=OU=GlobalSignRootCA-R6,O=GlobalSign,CN=GlobalSign.pem
roots.pem
The PEM files issuer= .pem can then be imported individually, or further converted into a file format your certificate store accepts.
The mand-line tool openssl can be used to convert files monly used certificate file formats. Instructions for converting from a PEM file monly used certificate file formats are listed below. For a full list of available options, check the official OpenSSL Command Line Utilitiesdocumentation. For instructions getting openssl, see section Getting OpenSSL.
How do I convert a PEM file to DER format? Using openssl you can issue mand convert a file from PEM to DER:
openssl x509 -in roots.pem -outform der -out roots.der

How do I convert a PEM file to PKCS #7? Using openssl you can issue mand convert a file from PEM to PKCS #7:
openssl crl2pkcs7 -nocrl -certfile roots.pem -out roots.p7b
How do I convert a PEM file to PKCS #12 (PFX)? Using openssl you can issue mand convert a file from PEM to PKCS #12:
openssl pkcs12 -export -info -in roots.pem -out roots.p12 -nokeys
You need to provide a file password when created a PKCS #12 archive, make sure to store the password somewhere safe, if you don't immediately import the PKCS #12 file into your system.
How do I export certificates from the NSS certificate store as a PEM file? Check out the Mozilla NSS certutil tool documentation, as well as the munity site discussion export certificate fromcert8.db as a .pem file.
How do I print PEM certificates in human readable form? In the following examples we presume you have the file GlobalSign_Root_CA_-_R2.pem with the following contents:
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
eoLrvoz凡科抠图6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
-----END CERTIFICATE-----
Printing certificates using OpenSSL mand
openssl x509 -in GlobalSign_Root_CA_-_R2.pem -text
should output the following lines before the certificate:
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 ::0f:86:26:e6:0d
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
 Validity
 Not Before: Dec 15  2006 GMT
 Not After : Dec 15  2021 GMT
 Subject: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (2048 bit)
 Modulus:
 00:a6:cf:24:0e:be:2e:6f::42:c4:ab:3e:
 b:0b:d3:7f:84:70:fa:12:b3:cb:bf:87:5f:
 c6:7f:86:d3:bc:d6:fd:ad:f1:7b:dc:e5:f8:
 :92:10:f5:d0:53:de:fb:7b:7e:73:88:ac:
 b:4a:a6:ca:49:a6:5e:a8:a7:8c:5a:11:bc:
 7a:82:eb:be:8c:e9:b3:ac::97:4a:99:2a:
 07:2f:b4:1e:77:bf:8a:0f:bc:1b:96:b8:c5:
 b9:3a:2c:bc:d6:12:b9:eb:59:7d:e2:d:5f:
 5e:49:6a:be:88:34:ec:bc:78:0c::
 6c:a8:cd:4b:b4:a0:7d:0c:79:4d:f0:b8:2d:cb:21:
 ca:d5:6c:5b:7d:e1:a:a1:f9:d:cb:
 :20:bc:dd:0b::f9:ea:27:0a:2b:
 73:91:c6:9d:1b:ac:c8:cb:e8:e0:a0:f4:2f:90:8b:
 4d:fb:bb:fa:85:e0:6d:f:88:
 5c:9f:ea:a:5a:ce:af:ab:d5:f7:aa:
 09:aa:60:bd:dc:d9:5f:df:72:a:5e:00:01:
 c9:4a:fa:3f:a4:ea::02:8e:82:ca:03:c2:
 9b:8f
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Key Usage: critical
 Certificate Sign, CRL Sign
 X509v3 Basic Constraints: critical
 CA:TRUE
 X509v3 Subject Key Identifier:
 9B:E:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:E
 X509v3 CRL Distribution Points:
 Full Name:
 URI:root-r2.crl
 X509v3 Authority Key Identifier:
 keyid:9B:E:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:E
 Signature Algorithm: sha1WithRSAEncryption
 :87:1c::91:ec:e0:4a:bb:ab:81:ac:
 27:4f:d6:c1:b8:1c:43:78:b3:0c:9a:fc:ea:2c:3c:6e:61:1b:
 4d:4b:29:f5:9f:05:1d:26:c1:b8:e:62:45:b6:a9:08:
 93:b9:ab:18:9a:c2:f:4e:db:dd:a:c1:
 54:da:46:3f:e0:d3:2a:ab:6d:54:22:f5:3a:62:cd:20:6f:ba:
 29:89:d7:dd:91:ee:d3:5c:a2:3e:a1:5b:41:f5:df:e:
 2d:e9:d5:39:ab:d2:a2:df:b7:8b:d0:c:1c:45:c0:2d:
 8c:e8:f8:2d:a:49:c5:05:b5:4f:15:de:6e::
 87:a8:7e:bb:f:91:bb:f4:6f:9d:c1:f0:8c:35:8c:5d:
 01:fb:c3:6d:b9:ef:44:6d::7e:0a:fe:a9:82:c1:ff:
 ef:ab:6e:20:c4:50:c9:5f:9d:4d:9b:17:8c:0c:e5:01:c9:a0:
 41:6a:73:53:fa:a5:50:b4:6e:25:0f:fb:4c:18:f4:fd:52:d9:
 8e:69:b1:ef:de:88:d8:fb:1d:49:f7:aa:de:95:cf:20:
 78:c:db:c:6a:fc:7e::64:12:f7:9e:
 81:ee
For instructions getting openssl, see section Getting OpenSSL.
SHA256: CA:42:DD:F:D0:B8:1E:B:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E Signature algorithm name: SHA1withRSA Version: 3 Extensions: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 9B E2 07 57 67 1C 1E C0 6A 06 DE 59 B4 9A 2D DF ...Wg...j..Y..-. 0010: DC 19 86 2E .... #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: #3: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: root-r2.crl] #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign #5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 9B E2 07 57 67 1C 1E C0 6A 06 DE 59 B4 9A 2D DF ...Wg...j..Y..-. 0010: DC 19 86 2E .... For instructions getting keytool, see section Getting Java keytool.
This varies per operating system and SSL/TLS library. However, the tools that allows importing and exporting certificates to and from the certificate store typically also provide an option to list the installed certificates. Also, if you essfully exported the trusted root certificates into PEM files, or your certificate store already contains stored PEM files, you can try opening the files in any text editor, as it is a plain text file format. The PEM file may be properly labeled, providing rmation of the associated certificate authority (example from the Google sample PEM file):
# Operating CA: GlobalSign
# Issuer: CN=GlobalSign O=GlobalSign OU=GlobalSign Root CA - R2
# Subject: CN=GlobalSign O=GlobalSign OU=GlobalSign Root CA - R2
# Label: "GlobalSign Root CA - R2"
# Serial: 5
# MD5 Fingerprint: :7e:3e:5e:fd:8f:30:bd:41:b0:cf:e7:d0:30
# SHA1 Fingerprint: 75:e0:ab:b:c:04:f8:5f:dd:de:38:e4:be:fe
# SHA256 Fingerprint: ca:42:dd:f:d0:b8:1e:b:2c:f9:d8:bf:71:9d:a1:bd:1b:1e:fc:94:6f:5b:4c:99:f4:2c:1b:9e
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
eoLrvoz凡科抠图6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
-----END CERTIFICATE-----
The file may also just contain the certificate part. In such cases, the name of the file, such as GlobalSign_Root_CA_-_R2.pem may describe which CA the certificate belongs to. The certificate string between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tokens is guaranteed to be unique for each CA, and you pare these strings between PEM files, if you cannot otherwise identify the CAs. Therefore pare each of the certificates in the Google sample PEM file against the PEM files you extracted from your certificate store. As each certificate in the Google root CA bundle is properly labeled, you can reliably verify which of the certificates you already have in your certificate store and identify which of them still need to be added, even if your certificate store PEM files were not labeled. Note: If tools, such as openssl andkeytool can be installed on your system see section How do I convertbetween a PEM file and a format supported by my system? for instructions how to directly see the contents of the certificates. For mobile phone specific instructions, see the separate question How can I check thetrusted root certificates on my mobile phone?.
Always rely primarily on your operating system documentation, the documentation of your application programming language(s), as well as the documentation from any external libraries that your application is using. Any other rmation including this FAQ may be outdated or otherwise incorrect, and should not be taken as authoritative. However, you may still rmation on many of the Stack Exchange munities, as well as sites such as AdamW on Linuxand more and the confirm blog, among others. Please also check out the GTSFAQ, as well as the article How to Use X.509Certificates and SSL For Secure Communications. For further details about advanced topics, such as certificate pinning, you may find the Open Web Application Security Project (OWASP) article rmative. For Android specific instructions, please refer to the official Android Best Practices for Security Privacy Securitywith HTT凡科抠图 and SSL training document. For discussion about certificate v.s. public key pinning on Android, you may find Matthew Dolan's blog post AndroidSecurity: SSL Pinning useful. The Android Best Practices for Security Privacy Network SecurityConfiguration training document and the JeroenHD blog post Android 7Nougat and certificate authorities rmation about managing additional trusted certificates on Android. prehensive list of root CAs trusted by AOSP, refer to the ca-certificates Git repository. For any versions based on inofficial Android forks, e.g. LineageOS, refer to the appropriate repositories provided by the OS vendor.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2020⑿-03 UTC.


Stack Overflow Ask a question under the google-ma凡科抠图 tag.
Blog Read about the latest updates, customer stories, and ti凡科抠图.
Issue Tracker Something wrong? Send us a bug report! ---------

还在纠结做什么小程序

------------
相关新闻