证书链以及自签名证书

The digital server certificate is issued by one of a small handful of companies worldwide(each company is a known certification authority, abbreviatedCA).

服务器数字证书由世界范围的少数几个公司发布（每个公司都是一个认证机构，简称CA)。

These companies verify that the person to whom they are issuing the digital server certificate to really is who he claims to be, rather than, say, Dr. Evil.

这些公司证实那些向他们申请服务器数字证书的人身份，不是恶意的人。

These companies then sign your server certificate using their own certificate.

确定后，随后这些公司使用他们自己的证书为你的服务器证书签名。

Theirs has been, in turn, signedby another, andso on.

这些公司的证书，相应的，被其他可信的证书签名，以此类推。

This series of certificates is known as a certificate chain.

这一系列证书被称作证书链。

At the endof the chain, there is one master certificate, kept in a very secure location.

在证书链的最末端，是一个主证书，它被保存在一个非常安全的地方。

The certificate chain is designed based on the “chain of trust” concept;

证书链的设计是基于“信任链”的理念设计的。

for the process to work, everybody along the chain has to be trustworthy.

证书链的每个环节都必须是可信的。

Additionally, the technology has to be able to distinguish between the real holder of a real certificate, a false
holder of a real certificate (stolen credentials), and the holder of a falsified certificate.
另外，还必须有识别正确持有者的正确证书，错误持有者的正确证书（偷窃的证书），以及持有篡改过的证书。

If a certificate is valid but cannot be supported by a chain of trust, it is treated as homemade, or self-signed.

如果一个证书是有效的，但是并没有信任链的支持，它就是内部的，或者自签名的。

Self-signed certificates are adequate for encryption but not suitable for authentication. Consumers will often not trust them for e-commerce because of the warnings from the web browser.

自签名的证书可以用来加密，但是不适合认证。用户一般不会信任这些商业用途的自签名证书，另外浏览器对这些自签名证书会进行告警。