字段名称含义用途示例待签名内容(tbsCertificate)Version (版本)含义: 证书版本号。取值:v1(0), v2(1), v3(2)。互联网 PKI 必须使用 v3 (值为 2)。告诉解析程序该按照哪个标准来读取后续的字段目前绝大多数为v3。Version: 3 (0x2)Serial Number (序列号)含义:CA 分配的唯一编号。证书的“身份证号”。在吊销证书CRL时CA 就是通过这个号码来精准定位作废证书的。Serial Number: 8 (0x8)Signature (签名算法)含义CA 签发此证书所用的算法。枚举值如 ecdsa-with-SHA256, sha256WithRSAEncryption, SM3WithSM2。提前告知验证者“一会儿请用这个算法去解密和校验我的签名”。Signature Algorithm: ecdsa-with-SHA256Issuer (颁发者)[1]含义签发该证书的 CA 身份信息DN格式。枚举值包含 C(国家), O(组织), CN(通用名) 等。指明“谁发的证”。验证者需要根据这个名字去寻找上一级 CA 的证书以获取验签公钥。Issuer: C CA, ST NC, L city, O ACME, OU ACME Devices, CN CAValidity (有效期)含义证书的生命周期时间窗口。枚举值Not Before (起始时间) 和 Not After (截止时间)。确保证书仅在特定时间段内可信过期后必须重新申请或续期。Validity Not Before: Jan 1 00:00:00 1970 GMT Not After : Dec 31 23:59:59 9999 GMTSubject (主体)含义证书持有者的身份信息DN格式。枚举值包含域名(CN)、公司(O)、部门(OU) 等。Subject: C US, ST NC, O ACME Widget Manufacturing, OU ACME Widget Manufacturing Unit, CN w0123456789SubjectPublicKeyInfo (主体公钥信息)含义持有者的公钥及算法标识。枚举值RSA 公钥含模数Modulus、指数Exponent、ECC 公钥含曲线参数、点位坐标。证书的核心资产。1. 后续通信中如TLS 握手、SPDM 挑战对方将用这个公钥来加密数据或验证持有者的签名。2.它的下一级的签名值使用这个公钥验签Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ba:67:47:72:78:da:28:81:d9:81:9b:db:88:03: e1:10:a4:91:b8:48:ed:6b:70:3c:ec:a2:68:a9:3b: 5f:78:fc:ae:4a:d1:1c:63:76:54:a8:40:31:26:7f: ff:3e:e0:bf:95:5c:4a:b4:6f:11:56:ca:c8:11:53: 23:e1:1d:a2:7a:a5:f0:22:d8:b2:fb:43:da:dd:bd: 52:6b:e6:a5:3f:0f:3b:60:b8:74:db:56:08:d9:ee: a0:30:4a:03:21:1e:ee:60:ad:e4:00:7a:6e:6b:32: 1c:28:7e:9c:e8:c3:54:db:63:fd:1f:d1:46:20:9e: ef:80:88:00:5f:25:db:cf:43:46:c6:1f:50:19:7f: 98:23:84:38:88:47:5d:51:8e:11:62:6f:0f:28:77: a7:20:0e:f3:74:27:82:70:a7:96:5b:1b:bb:10:e7: 95:62:f5:37:4b:ba:20:4e:3c:c9:18:b2:cd:4b:58: 70:ab:a2:bc:f6:2f:ed:2f:48:92:be:5a:cc:5c:5e: a8:ea:9d:60:e8:f8:85:7d:c0:0d:2f:6a:08:74:d1: 2f:e8:5e:3d:b7:35:a6:1d:d2:a6:04:99:d3:90:43: 66:35:e1:74:10:a8:97:3b:49:05:51:61:07:c6:08: 01:1c:dc:a8:5f:9e:30:97:a8:18:6c:f9:b1:2c:56: e8:67 Exponent: 65537 (0x10001)扩展基本约束 (Basic Constraints)枚举值CA:TRUE 或 CA:FALSE。判定该证书是否有权签发下级证书。终端实体如你的设备证书必须标记为 CA:FALSE防止其被滥用来伪造其他证书。X509v3 Basic Constraints: CA:FALSE密钥用途 (Key Usage)枚举值Digital Signature(数字签名), Key Encipherment(密钥加密), Key Cert Sign(签发证书), CRL Sign 等。基础权限限制。比如限制了只能用于“数字签名”那么这张证书的公钥就不能被拿去加密数据缩小了私钥泄露后的破坏半径。X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment扩展密钥用途 (Extended Key Usage/EKU)枚举值• 互联网serverAuth(服务器认证), clientAuth(客户端认证), codeSigning(代码签名)• SPDM专用id-DMTF-spdm-responder(响应方认证), id-DMTF-spdm-requester(请求方认证)。行业专属的高级权限定义。正如我们之前讨论的SPDM 协议就是在这里填入专属 OID来区分硬件设备的角色。主体备用名称 (Subject Alternative Name/SAN)枚举值DNS Name(域名), IP Address, Email, Other Name(自定义OID) 等。解决 Subject 字段只能写一个名字的局限。现代证书主要靠 SAN 字段来支持多域名如一张证书同时保护 example.com 和 www.example.com。X509v3 Subject Alternative Name:othername: 1.3.6.1.4.1.412.274.1::ACME:WIDGET:0123456789Authority Key IdentifierSubject Key IdentifierCRL Distribution PointsCertificate PoliciesPolicy MappingsName ConstraintsPolicy ConstraintsInhibit anyPolicy签名算法/含义同上重复出现一次。枚举值与 tbsCertificate 中的签名算法完全一致。冗余设计确保解析程序在处理完所有明文信息后依然明确知道该用什么算法来验证最后的签名值。Signature Algorithm: ecdsa-with-SHA256签名值/含义CA 私钥加密后的哈希摘要。枚举值一串不定长的二进制比特串如 ECDSA 签名通常是两个大整数 R 和 S 的组合。证书的“防伪钢印”。验证者用 CA 的公钥验签这段数据此确认证书的完整性和真实性。Signature Value: 30:45:02:20:1e:5a:a6:ed:5c:b6:2b:f5:9e:22:28:9c:ef:c7: aa:db:1c:87:83:48:c1:50:cb:25:04:ab:c9:6e:7c:f5:6b:01: 02:21:00:da:48:d4:49:a5:65:5c:2c:83:fc:05:00:66:48:98: f8:f0:cb:63:b7:2e:87:db:c8:63:58:6c:21:91:7a:68:95整体示例Certificate:Data:Version:3 (0x2)Serial Number:8 (0x8)Signature Algorithm:ecdsa-with-SHA256Issuer: C CA, ST NC, L city, O ACME, OU ACME Devices, CN CAValidityNot Before: Jan 1 00:00:00 1970 GMTNot After : Dec 31 23:59:59 9999 GMTSubject:C US, ST NC, O ACME Widget Manufacturing, OU ACME Widget Manufacturing Unit, CN w0123456789Subject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:ba:67:47:72:78:da:28:81:d9:81:9b:db:88:03:e1:10:a4:91:b8:48:ed:6b:70:3c:ec:a2:68:a9:3b:5f:78:fc:ae:4a:d1:1c:63:76:54:a8:40:31:26:7f:ff:3e:e0:bf:95:5c:4a:b4:6f:11:56:ca:c8:11:53:23:e1:1d:a2:7a:a5:f0:22:d8:b2:fb:43:da:dd:bd:52:6b:e6:a5:3f:0f:3b:60:b8:74:db:56:08:d9:ee:a0:30:4a:03:21:1e:ee:60:ad:e4:00:7a:6e:6b:32:1c:28:7e:9c:e8:c3:54:db:63:fd:1f:d1:46:20:9e:ef:80:88:00:5f:25:db:cf:43:46:c6:1f:50:19:7f:98:23:84:38:88:47:5d:51:8e:11:62:6f:0f:28:77:a7:20:0e:f3:74:27:82:70:a7:96:5b:1b:bb:10:e7:95:62:f5:37:4b:ba:20:4e:3c:c9:18:b2:cd:4b:58:70:ab:a2:bc:f6:2f:ed:2f:48:92:be:5a:cc:5c:5e:a8:ea:9d:60:e8:f8:85:7d:c0:0d:2f:6a:08:74:d1:2f:e8:5e:3d:b7:35:a6:1d:d2:a6:04:99:d3:90:43:66:35:e1:74:10:a8:97:3b:49:05:51:61:07:c6:08:01:1c:dc:a8:5f:9e:30:97:a8:18:6c:f9:b1:2c:56:e8:67Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints:CA:FALSEX509v3 Key Usage:Digital Signature, Non Repudiation, Key EnciphermentX509v3 Subject Alternative Name:othername: 1.3.6.1.4.1.412.274.1::ACME:WIDGET:0123456789Signature Algorithm:ecdsa-with-SHA256Signature Value:30:45:02:20:1e:5a:a6:ed:5c:b6:2b:f5:9e:22:28:9c:ef:c7:aa:db:1c:87:83:48:c1:50:cb:25:04:ab:c9:6e:7c:f5:6b:01:02:21:00:da:48:d4:49:a5:65:5c:2c:83:fc:05:00:66:48:98:f8:f0:cb:63:b7:2e:87:db:c8:63:58:6c:21:91:7a:68:95-----BEGIN CERTIFICATE-----MIIC4jCCAoigAwIBAgIBCDAKBggqhkjOPQQDAjBcMQswCQYDVQQGEwJDQTELMAkGA1UECAwCTkMxDTALBgNVBAcMBGNpdHkxDTALBgNVBAoMBEFDTUUxFTATBgNVBAsMDEFDTUUgRGV2aWNlczELMAkGA1UEAwwCQ0EwIBcNNzAwMTAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMH0xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEiMCAGA1UECgwZQUNNRSBXaWRnZXQgTWFudWZhY3R1cmluZzEnMCUGA1UECwweQUNNRSBXaWRnZXQgTWFudWZhY3R1cmluZyBVbml0MRQwEgYDVQQDDAt3MDEyMzQ1Njc4OTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALpnR3J42iiB2YGb24gD4RCkkbhI7WtwPOyiaKk7X3j8rkrRHGN2VKhAMSZ//z7gv5VcSrRvEVbKyBFTIEdonql8CLYsvtD2t29UmvmpT8PO2C4dNtWCNnuoDBKAyEe7mCt5AB6bmsyHChnOjDVNtj/R/RRiCe74CIAF8l289DRsYfUBl/mCOEOIhHXVGOEWJvDyh3pyAO83QngnCnllsbuxDnlWL1N0u6IE48yRiyzUtYcKuivPYv7S9Ikr5azFxeqOqdYOj4hX3ADS9qCHTRLhePbc1ph3SpgSZ05BDZjXhdBColztJBVFhB8YIARzcqFeMJeoGGz5sSxW6GcCAwEAAaNNMEswCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwMQYDVR0RBCowKKAmBgorBgEEAYMcghIBoBgMFkFDTUU6V0lER0VUOjAxMjM0NTY3ODkwCgYIKoZIzj0EAwIDSAAwRQIgHlqm7Vy2K/WeIiic78eq2xyHg0jBUMslBKvJbnz1awECIQDaSNRJpWVcLIP8BQBmSJj48Mtjty6H28hjWGwhkXpolQ-----END CERTIFICATE-----