设置客户端证书以进行相互认证
[英]Setting up client side certificate for mutual authentication
问题描述
I am trying to set up 2 way ssl mutual authentication for my web application. 
我正在尝试为我的Web应用程序设置2种方式的SSL相互身份验证。 I currently haven't set up my client and am testing my web service through my browser. 我目前尚未设置客户端,正在通过浏览器测试Web服务。
I created a client certificate using the keychain tool on my mac and import the certificate.p12 file in Firefox. 我使用Mac上的钥匙串工具创建了客户端证书,并在Firefox中导入了certificate.p12文件。 I also have a certificate.cert file. 我也有一个certificate.cert文件。 From my understanding I need to add this cert file in my servers truststore. 据我了解,我需要将此证书文件添加到我的服务器信任库中。
For that I need to using the following command: 为此,我需要使用以下命令:
keytool -import -trustcacerts -alias <hostname of DP> -file <your file.crt> -keystore <truststorefile>
However what do I add as the hostname of my system? 但是,我要添加什么作为系统的主机名? What will the browser show the hostname as to my webserver? 浏览器将显示我的Web服务器的主机名吗?
1 个解决方案
解决方案1
1 已采纳 2016-10-14 00:34:35
First if you have client cert(s) issued by either a well-known CA (like Verisign, GoDaddy, etc) or a locally-trusted one (like your employer), you don't have to do anything. 首先,如果您拥有由知名CA(例如Verisign,GoDaddy等)或本地信任的CA(例如您的雇主)颁发的客户证书,则无需执行任何操作。 The client will simply present the cert with a chain that leads to the already-trusted CA. 客户只需向证书提供一个链,该链将导致已经信任的CA。
If you have issued client certs from your own CA, you should add the CA (root) cert only to the server truststore. 如果您从自己的CA颁发了客户端证书,则应仅将CA(根)证书添加到服务器信任库中。 Then all client certs issued by that CA will be validated without further effort. 然后,将对该CA颁发的所有客户端证书进行验证,而无需付出更多努力。 If you make the CA cert long-lived, as is the usual practice, you can even renew and/or replace client certs with no effort on the server. 如果您按照通常的做法使CA证书具有较长的寿命,那么您甚至可以毫不费力地在服务器上续订和/或替换客户端证书。 And you can automatically revoke them if you set up CRL distribution and/or OCSP, although DIY CAs don't always want to go to that effort. 尽管设置DIY CA并不总是想要这样做,但您可以在设置CRL分发和/或OCSP时自动撤销它们。
If you have created a self-signed client cert, then and only then you need to add that specific cert to the server truststore. 如果创建了自签名客户端证书,则仅在那时,您才需要将该特定证书添加到服务器信任库中。 Although SSL/TLS server certs must be identified by the hostname(s) of the server, client certs are not required to, and CA certs (which are the certs usually in your truststore by default) never have a hostname as the Subject (although some extensions usually contain URLs that contain hostnames). 尽管必须通过服务器的主机名来标识SSL / TLS 服务器证书 ,但不需要客户端证书,并且CA证书(默认情况下通常是您的信任库中的证书)永远不会以主机名作为主题(尽管一些扩展名通常包含包含主机名的URL)。 Codesigning certs also don't need to use a hostname. 共同设计证书也不需要使用主机名。
The alias of a cert entry in a Java truststore does not need to be the hostname; Java信任库中的证书条目的别名不必是主机名。 it only needs to be unique, although it should be mnemonic of the subject of the cert. 它只需要是唯一的,但它应该是记忆的证书的主题。 If for example your client certs are for users named Alice and Bob (or more likely their PCs or whatever devices) you can just use alice and bob as the aliases. 例如,如果您的客户端证书适用于名为Alice和Bob的用户(或更可能是其PC或任何设备),则可以仅使用alice和bob作为别名。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.