[英]Cannot use self issued client certificate
I want to be able to create a test client certificate signed by a test CA and establish a SSL connection and identify the client using this certificate using IIS7 and Firefox on Windows 7, all locally on a development machine. 我希望能够创建由测试CA签名的测试客户端证书,并建立SSL连接,并在Windows 7上使用IIS7和Firefox在所有本地开发计算机上使用此证书来标识客户端。 I am deploying my MVC application from VS2010.
我正在从VS2010部署我的MVC应用程序。 So far I have done the following:
到目前为止,我已经执行了以下操作:
Created the CA using: 使用以下方法创建了CA:
makecert -n "CN=mydomain" -r -pe -sv DevCA.pvk DevCA.cer -sr LocalMachine -a sha1 -sky signature -cy authority makecert -n“ CN = mydomain” -r -pe -sv DevCA.pvk DevCA.cer -sr LocalMachine -a sha1 -sky签名-cy权威
Create a client certificate signed by DevCA: 创建由DevCA签名的客户端证书:
makecert -sv testclient.pvk -iv DevCA.pvk -pe -a sha1 -sky Exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -n "CN=mydomain" -ic DevCA.cer testclient.cer -ss My -sr LocalMachine makecert -sv testclient.pvk -iv DevCA.pvk -pe -a sha1 -sky Exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -n“ CN = mydomain” -ic DevCA .cer testclient.cer -ss My -sr LocalMachine
Create PFX files of the two certificate: 创建两个证书的PFX文件:
pvk2pfx.exe -pvk testclient.pvk -spc testclient.cer -pfx testclient.pfx pvk2pfx.exe -pvk testclient.pvk -spc testclient.cer -pfx testclient.pfx
pvk2pfx.exe -pvk DevCA.pvk -spc DevCA.cer -pfx DevCA.pfx pvk2pfx.exe -pvk DevCA.pvk -spc DevCA.cer -pfx DevCA.pfx
Use certmgr to import DevCA to trusted root certificates 使用certmgr将DevCA导入到受信任的根证书
In IIS manager: 在IIS管理器中:
a) Added testclient.pfx to 'Server Certificates' a)将testclient.pfx添加到“服务器证书”
b) In my site, set SSL Settings to accept SSL b)在我的网站上,将SSL设置设置为接受SSL
c) Set HTTPS bingings to use testclient certificate c)设置HTTPS binging以使用testclient证书
In Firefox I then add DevCA to Authorities tab and testclient to 'Your Certificates', in IE I import CA and client certificates using certmgr. 然后,在Firefox中,我将DevCA添加到“权限”选项卡中,并将testclient添加到“您的证书”中,在IE中,我使用certmgr导入CA和客户端证书。
When I navigate to my application in Firefox using HTTPS I get: 当我使用HTTPS导航到Firefox中的应用程序时,我得到:
"Connection is untrusted" “连接不受信任”
In IE I get: 在IE中,我得到:
"HTTP Error 403.16 - Forbidden, Your client certificate is either not trusted or is invalid." “ HTTP错误403.16-禁止,您的客户端证书不可信或无效。”
If I then add an exception I can establish an SSL connection but within my application I cannot get details of the client certificate using: 如果再添加一个例外,则可以建立SSL连接,但是在我的应用程序中,无法使用以下方式获取客户端证书的详细信息:
HttpClientCertificate cert = this.Request.ClientCertificate;
if (cert.IsPresent)
etc..
Not sure what I'm doing wrong here. 不知道我在做什么错。 Any ideas?
有任何想法吗?
To use client certificate authentication you need both: 要使用客户端证书身份验证,您同时需要:
Server certificate provides secure SSL connection. 服务器证书提供安全的SSL连接。 To make server trusted to browsers you've added DevCA (that was used to sign testclient certificate for your server).
为了使服务器对浏览器信任,您添加了DevCA(用于签署服务器的testclient证书)。 If you configure your IIS to ignore client certificates then you've got ordinary secure communication scenario - connection is secured, but client isn't authenticated (no prompt for user certificate in browser).
如果将IIS配置为忽略客户端证书,那么您会遇到普通的安全通信情况-连接是安全的,但是客户端未通过身份验证(浏览器中不提示输入用户证书)。
Next step - ensure setting your IIS to accept client certificates. 下一步-确保将IIS设置为接受客户端证书。 Browser will prompt user to choose certificate if it's available but will allow user to cancel request of certificate and continue browsing - that is your case.
浏览器将提示用户选择证书(如果可用),但将允许用户取消证书请求并继续浏览-这就是您的情况。
Request.ClientCertificate
is empty. Request.ClientCertificate
为空。
To authenticate client (user) with certificate you should issue a separate certificate (one certificate per user). 要使用证书对客户端(用户)进行身份验证,您应该颁发单独的证书 (每个用户一个证书)。 You can use same DevCA to sign new client certificate ( see this article ).
您可以使用相同的DevCA来签署新的客户端证书( 请参阅本文 )。
makecert -sk MyKeyName1 -iv DevCA.pvk -n "CN=Client1AuthCert" -ic DevCA.cer -sr currentuser -ss my -sky signature -pe
User installs that certificate on his/her computer to Personal Certification Store and also installs Issuer Cert (DevCA) to trusted root certificate authorities. 用户将其证书安装在他/她的计算机上到个人证书存储,也将颁发者证书(DevCA)安装到受信任的根证书颁发机构。 When user opens browser with your web app, certificate prompt will be shown:
当用户使用您的Web应用打开浏览器时,将显示证书提示:
When user chooses certificate, it will be available in Request.ClientCertificate
property on a server. 当用户选择证书时,它将在服务器上的
Request.ClientCertificate
属性中可用。 User certificate is used as a credential in this case (instead of user/password, etc). 在这种情况下,将用户证书用作凭据(而不是用户/密码等)。
If you don't want user access your web app without having client certificate at all, you can set SSL settings to require client certificate. 如果您不希望用户完全没有客户端证书就访问您的Web应用程序,则可以将SSL设置设置为要求客户端证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.