directory
preface
The body of the
1. Certificate type
Two, certificate difference
2.1 Differences between OV, DV and EV certificates
2.2 How to distinguish OV and DV certificates?
2.3 How to distinguish EV and OV certificates?
Third, market research
3.1 Selecting a Certificate Type
3.2 Common Certificate Types
At the end
preface
Do PC client students, installation package in win10 system installation, have you ever encountered the following problem:
I met it. It’s a long story. From 0 to 1, I worked out the PC client of Windows and MAC system in more than a month. In the process, I encountered too many system adaptation problems, especially in Windows system. The picture above in particular bothered me for a long time. The root cause is that the Windows system has certain requirements for the digital signature certificate of the client application program. Today, we’ll take a look at what digital signing certificates are available to PC clients and the differences between them.
The body of the
Today, this article uses a flashback introduction to decipher this question. In fact, there are four types of digital signature certificates commonly used in the market, namely, custom certificate, DV certificate, OV certificate and EV certificate. Next, let’s have a detailed understanding of their characteristics and differences.
1. Certificate type
DV certificate: a domain name verification certificate. The certificate is issued after the ownership of the domain name is verified. This type of certificate is suitable for individuals and small and micro enterprises to apply for. The price is low and the application is fast. However, enterprise information cannot be displayed in the certificate, resulting in poor security. If deployed on a Web site, the browser displays a lock flag.
OV certificate: an enterprise authentication certificate. The authentication mode of the certificate is to verify the ownership of the domain name and the real identity of the enterprise. At present, THE OV type certificate is the most widely used and the most compatible certificate type in the world. This type of certificate is suitable for medium-sized enterprises and Internet business applications. If deployed on a Web site, the browser displays a locked logo and can be clicked to view enterprise information. Supports the ECC encryption algorithm with high security, which improves data security and encryption performance.
EV certificate: Enhanced verification certificate. The verification level of the certificate is the most stringent verification method of all types. On the basis of OV type verification, additional information related to other enterprises is verified, such as bank account license certificate. EV certificates are mostly used in banking, finance, securities, payment and other industries with high security standards. If it is deployed on a Web site, it can display a unique EV green address bar in the address bar to maximize the credibility level of the site. Supports the ECC encryption algorithm with high security, which improves data security and encryption performance.
Custom certificate: As the name implies, it is a digital certificate defined through a proprietary protocol and has the lowest trust level. If you do your own experiments can also be studied. There’s a tool in Windows Kits, Makecert.exe, that can be used to create custom signing certificates. It’s as easy as searching for them online and signing the application with signTool.exe.
Two, certificate difference
2.1 Differences between OV, DV and EV certificates
In order for you to clearly distinguish the difference between DV, OV and EV certificates, here is a comparison table:
2.2 How to distinguish OV and DV certificates?
The user information pairs of OV certificate and DV certificate are shown in the following figure:
As can be seen from the comparison figure, the OV certificate displays information such as domain name + unit name in the Subject of the certificate, while the DV certificate only displays domain name information in the Subject of the certificate.
2.3 How to distinguish EV and OV certificates?
The user information pairs of EV certificates and DV certificates are shown in the following figure:
From the comparison diagram, we can see that in the user column, EV certificates have much more information than OV certificates. The most obvious difference is that the serial number and other information are displayed, which are unique fields for EV certificates, but not for other types of certificates. This is also the first way to distinguish between EV and OV certificates. The second method is to look at the issuer column. If it is an EV certificate, there will usually be an EV mark, but not all EV certificates have this mark, so this method can be used as an aid.
If you are deployed on a Web site, the browser “trusts” the EV certificate more, and when the browser accesses the EV certificate, it can display the company name in the address bar and turn the address bar green, which is the third way to distinguish. For specific different manifestations, please refer to the following figure:
Third, market research
3.1 Selecting a Certificate Type
With the popularity of the Internet and the increasing number of Internet attacks, more and more enterprises are beginning to realize the importance of HTTPS encryption. Whether an enterprise wants to upgrade its website from HTTP to HTTPS or make a client with a higher trust level in the system, choosing a reliable SSL certificate is a very necessary prerequisite. However, the wide variety of SSL certificates on the market often leaves us with no choice. For newcomers to the field, if we don’t know how to choose, in fact, we can first look at what other applications on the market are using certificates. Then make the best choice based on the size and type of business of the enterprise itself.
3.2 Common Certificate Types
Next, let’s look at the use of certificates for a few common applications.
1. For Tencent Conference, the OV certificate is used.
![]( "点击并拖拽以移动")
2. Zoom: The EV certificate is used.
3. For nails, the EV certificate is used.
4. Cloud classroom: OV certificate is used.
It needs to be said here that Tencent conference uses OV certificate, which I did not think of, this practice is worthy of praise. Of course, there are other applications, I won’t list them here, but there are a lot of applications that use EV certificates.
So the problem comes, our PC client is using OV certificate, Win10 was intercepted, and other companies’ client is ALSO OV certificate is not intercepted by Win10?
In fact, theoretically OV certificate and EV certificate can not be intercepted by win10 system, but OV certificate can not be intercepted is conditional, it must be based on a certain amount of installation, the specific number of official did not reveal. This explains why our client was blocked, because our client was new to me and had virtually no downloads and therefore no reliable reputation. (However, we can find an agency to brush the credit, just like taobao shop brush credit.)
In fact, we can also understand the consideration of Microsoft to do this, after all, the new application, no one knows whether it is a Trojan with OV certificate.
EV certificates, however, have this privilege and are inherently creditworthy. Therefore, if the new client does not want to be blocked by Win10, you can directly choose EV certificate.
At this point, one might ask, why are EV certificates inherently creditworthy? What about the risk of not having a Trojan?
In fact, reputation value is a kind of security certification level, because the APPLICATION of EV certificate is very strict, the materials required are very sensitive, including company qualification, legal person, address, bank account and other information, and the cost is very high, the price is usually two to three times that of OV certificate.
In the end, we found two solutions to this interception problem:
1. Use the OV certificate to sign the client and find a third party to brush the amount.
Advantages: The signing certificate is cheap.
Disadvantages: The amount of brush also needs to cost, and do not know the specific completion time.
2. Purchase EV certificates directly.
Advantages: Direct use, save time and effort.
Disadvantages: Higher cost.
After a group discussion, we decided to choose the latter. Because there’s no time to waste.
At the end
Through the review of the whole certificate selection process, the results are as follows: DV certificate is almost eliminated by the market at present, and the custom certificate is not recommended to use. OV and EV certificates are the most widely used in the market. If you provide services to the public, have user account login, have multiple application requirements, and need to deploy multiple domain names, you can consider purchasing OV certificates to facilitate users to quickly identify the authenticity of websites and realize SSL for the whole network. If you need to implement online transactions with high value data confidentiality requirements (such as video conferencing involving trade secrets) consider purchasing ev-type certificates to provide the highest security.
This article is participating in the “Nuggets 2021 Spring Recruiting activity”, click to see the details of the activity