简体繁体 English

我可以在没有自定义域的情况下在 Azure 应用服务上使用客户端证书吗？

[英]Can I use Client Certificates on Azure App Services without a custom domain?

原文 2018-11-29 11:12:34 4 2 azure/ azure-web-app-service/ client-certificates

For testing purposes I would like to enable the 'Incoming Client Certificates' option in my Azure App Service (running a WCF webservice), and see if my Client application can still connect to the webservice.出于测试目的，我想在我的 Azure 应用服务（运行 WCF 网络服务）中启用“传入客户端证书”选项，并查看我的客户端应用程序是否仍然可以连接到网络服务。 Since I am still in a testing phase, my app service still has the .azurewebsites.net domain name.由于我仍处于测试阶段，我的应用服务仍然具有 .azurewebsites.net 域名。

However, I can't seem to figure out how to get a proper client certificate that the server will accept (without switching to a custom domain name, which I know will work).但是，我似乎无法弄清楚如何获得服务器将接受的正确客户端证书（无需切换到自定义域名，我知道这将起作用）。

Currently, I see 2 possible routes to a solution:目前，我看到了 2 条可能的解决方案途径：

Somehow get my hands on .cer that is signed by a CA trusted by the App Service server.不知何故，我得到了由应用服务服务器信任的 CA 签名的 .cer。
Generate a self-signed .pfx and .cer with my own self-signed CA.使用我自己的自签名 CA 生成自签名 .pfx 和 .cer。 Import the pfx on the App Service and install the .cer on the client.在应用服务上导入 pfx 并在客户端上安装 .cer。

Both directions have not yielded any success so far.到目前为止，这两个方向都没有取得任何成功。 Does anyone have any experience with this?有人对这个有经验么？

2 个解决方案

Per my understanding, the client certificate is used by client systems to make authenticated requests to a remote server.据我了解，客户端系统使用客户端证书向远程服务器发出经过身份验证的请求。 In this case, your webservice is the remote server in a C/S mode.在这种情况下，您的 Web 服务是 C/S 模式下的远程服务器。 As you point out, "validating this certificate is the responsibility of the web app. So this means that any certificate will be valid as long as you don't validate anything".正如您所指出的，“验证此证书是 Web 应用程序的责任。因此，这意味着只要您不验证任何内容，任何证书都将有效”。 It does not effect on whether you have a custom domain or not in your web app service.它不会影响您的 Web 应用服务中是否有自定义域。

If you want to use client cert authentication with Azure app, you can refer to How To Configure TLS Mutual Authentication for Web App.如果要在 Azure 应用中使用客户端证书身份验证，可以参考如何为 Web 应用配置 TLS 相互身份验证。

If the server has requested client certificate in its server hello and the client cert has signing capability, then it is expected to send the CertificateVerify message to the server.如果服务器在其服务器问候中请求了客户端证书并且客户端证书具有签名能力，那么它应该向服务器发送 CertificateVerify 消息。 It contains signed hash of all messages from Client Hello till that point which are buffered on the server side.它包含从客户端 Hello 到该点的所有消息的签名哈希，这些消息在服务器端缓冲。 The server TLS layer will decrypt this using the client public key (which is in the Client certificate received earlier) and compare with its calculated hash.服务器 TLS 层将使用客户端公钥（在之前收到的客户端证书中）对此进行解密，并与其计算的哈希值进行比较。 It will call back to application layer if this fails.如果失败，它将回调应用层。

The application needs to handle it at that point and return its own error or continue with the session.应用程序需要在此时处理它并返回它自己的错误或继续会话。 https://www.rfc-editor.org/rfc/rfc5246#section-7.4.8 https://www.rfc-editor.org/rfc/rfc5246#section-7.4.8

One example of this with Wolfssl library is https://github.com/wolfSSL/wolfssl/blob/14ef517b6113033c5fc7506a9da100e5e341bfd4/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs#L145 Wolfssl 库的一个例子是https://github.com/wolfSSL/wolfssl/blob/14ef517b6113033c5fc7506a9da100e5e341bfd4/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs#L145

Do we have to create a client certificate in azure portal and send it to the clients that access this site or how does that work?我们是否必须在 azure 门户中创建客户端证书并将其发送给访问此站点的客户端，或者它是如何工作的？ Just enabling the TLS\/ssl SETTINGS to on would it help?仅启用 TLS\/ssl SETTINGS 会有所帮助吗？