简体繁体 English

通过HTTP传递客户端证书

[英]passing the Client certificate over HTTP

原文 2013-06-06 12:33:12 0 1 security/ http/ ssl/ certificate/ ssl-certificate

We have use case where we need to pass the client Certificate and Key over Http. 我们有用例，我们需要通过Http传递客户端证书和密钥。 And this has to achieved in a single HTTP Request. 这必须在单个HTTP请求中实现。 Meaning, Client will send a HTTP GET and in HTTP response we need to send the clientCertificate and keys. 这意味着，客户端将发送HTTP GET，并且在HTTP响应中，我们需要发送clientCertificate和密钥。

I tried making below tests, 我尝试进行以下测试

I generated pem file to containing client Key and cert and set the content type of http reposne as "application/x-pem-file" [Result] : Mozilla and chrome are not understanding the mime type and its asking to save. 我生成了包含客户端密钥和证书的pem文件，并将http reposne的内容类型设置为“ application / x-pem-file”。[结果]：Mozilla和chrome无法理解mime类型及其保存要求。
1. if i use the mime type "application/x-x509-user-cert" , mozilla is interpreting mime type but throwing an error. 如果我使用mime类型“ application / x-x509-user-cert”，则mozilla会解释mime类型，但会引发错误。

I am not sure how we can achieve this (passing client certs and keys to browser over HTTP). 我不确定如何实现（通过HTTP将客户端证书和密钥传递给浏览器）。 Kindly help us. 请帮助我们。

Thanks Pradeep 感谢Pradeep

1 个解决方案

First you need to determine, which key you want to send. 首先，您需要确定要发送的密钥。 Private keys are almost never transmitted this way - that's a big security flaw. 私钥几乎从未以这种方式传输-这是一个很大的安全漏洞。 And if you send only public key - this one is already contained in the certificate. 而且，如果您仅发送公钥-证书中已包含此公钥。

Now canonical format for certificate is binary DER encoding. 现在，证书的规范格式是二进制DER编码。 PEM and anything equally non-standard doesn't have a single chance to be recognized by the browser. PEM和任何其他同样非标准的东西都没有被浏览器识别的机会。 Ie what you can send and hope that it will be handled by the browser is binary DER certificate itself. 即，您可以发送并希望它将由浏览器处理的是二进制DER证书本身。