简体繁体 English

是否可以自动 select 正确的客户端证书？

[英]Is it possible to automatically select correct client side certificate?

原文 2011-05-24 09:05:15 9 3 ssl/ certificate/ client-side

I have configured an Apache httpd website with SSL client side certificates so that only users who have installed the correct certificate in their web browsers can access the website.我已经使用 SSL 客户端证书配置了 Apache httpd 网站，这样只有在 web 浏览器中安装了正确证书的用户才能访问该网站。

If there is only one client side certificate installed the web browser will automatically select it (it is not the default, but it can be configured somewhere in the settings dialog).如果只安装了一个客户端证书 web 浏览器将自动 select 它（它不是默认设置，但可以在设置对话框的某处进行配置）。 But if a user has more than one certificate installed, the web browser presents a list of certificates and the user has to pick the right one to continue.但如果用户安装了多个证书，web 浏览器会显示证书列表，用户必须选择正确的一个才能继续。

The question is: Is there a way to configure httpd to send a hint so that the web browser can automatically select the required certificate?问题是：有没有办法配置httpd发送提示，使web浏览器可以自动select所需的证书？

3 个解决方案

The SSL (TLS) protocol only allows the server to specify two constraints on the client certificate: SSL (TLS) 协议只允许服务器对客户端证书指定两个约束：

The type of certificate (RSA, DSA, etc.)证书类型（RSA、DSA 等）
The trusted certificate authorities (CAs) that signed the client certificate签署客户端证书的可信证书颁发机构 (CA)

You can use "openssl s_client" to see which CAs your Apache server trusts for client certs.您可以使用“openssl s_client”查看您的 Apache 服务器信任哪些 CA 以获得客户端证书。 I do not know how to configure Apache to change that list (sorry), but I bet there is a way.我不知道如何配置 Apache 来更改该列表（抱歉），但我敢打赌有办法。 So if you can limit the list to (say) your own organization's CA alone, then you will have done all you can to allow a Web browser to select the client cert automatically.因此，如果您可以将列表限制为（例如）您自己组织的 CA，那么您将尽您所能允许 Web 浏览器自动访问 select 客户端证书。

As Eugene said, whether the browser actually does so is up to the particular browser.正如尤金所说，浏览器是否真的这样做取决于特定的浏览器。

I'd say that as selection of the certificate is a client-side task, there's no definite way to force the client use this or that certificate from the server side.我想说，由于证书的选择是客户端任务，因此没有明确的方法可以强制客户端从服务器端使用这个或那个证书。

In addition to what @Nemo and @Eugene said, by default, Apache Httpd will send the list of CAs it gets from its SSLCACertificateFile or SSLCACertificatePath configuration directives.除了@Nemo 和@Eugene 所说的，默认情况下，Apache Httpd 将发送它从其SSLCACertificateFile或SSLCACertificatePath配置指令中获取的 CA 列表。

However, you can force it to send a different list in certificate_authorities using the SSLCADNRequestFile or SSLCADNRequestPath directives and pointing them to another set of certificates.但是，您可以强制它使用SSLCADNRequestFile或SSLCADNRequestPath指令在certificate_authorities中发送不同的列表，并将它们指向另一组证书。 Only the Subject DN of these certificates is used (and send in the list).仅使用这些证书的主题 DN（并在列表中发送）。 If you want to force certain names, you can even self-sign these certificates with whichever name you want.如果您想强制使用某些名称，您甚至可以使用您想要的任何名称对这些证书进行自签名。 I've tried this (in conjunction with SSLVerifyClient optional_no_ca , and you can get clients to send certificates for CA certificates that the server doesn't actually have. (This isn't necessarily useful, but it works.)我已经尝试过了（与SSLVerifyClient optional_no_ca结合使用，您可以让客户端发送服务器实际上没有的 CA 证书的证书。（这不一定有用，但它有效。）