简体繁体 English

使用X509Certificate2在https中进行客户端证书认证

[英]client certificate authentication in https using X509Certificate2

原文 2012-10-23 15:07:02 4 3 c#/ asp.net/ security/ authentication/ ssl

I am trying to understand how does client authentication work in https scenario and how to use it to provide a basic authentication/authorization capability. 我试图了解客户端身份验证在https场景中如何工作以及如何使用它提供基本的身份验证/授权功能。

Let's say I want to have a mapping between a certificate and a user (eg. IPrincipal). 假设我想在证书和用户（例如IPrincipal）之间建立映射。 My server issues certs and distributes them to the clients. 我的服务器颁发证书并将其分发给客户端。 When client connects I ask for certificate and if a valid certificate has been provided I authenticate the user based on the mapping defined earlier. 当客户端连接时，我要求提供证书，并且是否提供了有效的证书，因此我会根据之前定义的映射对用户进行身份验证。

What should I use to create the mapping? 我应该使用什么来创建映射？ Is cert thumbprint a good candidate? 证书指纹是不错的候选人吗？ Is it enough to determine client identity? 确定客户身份是否足够？

Or maybe I don't need the mapping at all and can simply accept all certs issued by my server ? 或者，也许我根本不需要映射，只需接受服务器发布的所有证书？

Edit: Let me rephrase it - assuming that I can issue client certificates, how do I verify clients identity during https session? 编辑：让我重新措辞-假设我可以颁发客户端证书，如何在https会话期间验证客户端身份？

3 个解决方案

A lot of what your asking depends greatly on what your existing cert infrastructure looks like. 您的要求很大程度上取决于您现有的证书基础架构的外观。 For security reasons I would highly suggest identifying the specific user via a mapping. 出于安全原因，我强烈建议您通过映射识别特定用户。 If you've gone as far as to distribute certs for user auth, theres probably something worth securing. 如果您已尽力分发用于用户身份验证的证书，则可能值得保护。 Any authorization or auditing you need should be per user. 您需要的任何授权或审核应针对每个用户。 The best way is to use the cert CN (common name). 最好的方法是使用cert CN（通用名称）。 The thumbprint will identify as specific cert, but what happens when the cert expires? 指纹将标识为特定证书，但是证书过期时会发生什么？ This of course means when you issue certs the CN is controlled, and will relate to a specific person. 当然，这意味着当您颁发证书时，CN将受到控制，并将与特定人员相关。 I've found using email address to be very reliable, because you can create a validation routine by sending them confirmation emails. 我发现使用电子邮件地址非常可靠，因为您可以通过向他们发送确认电子邮件来创建验证例程。 You can also enforce some uniqueness with the email address. 您还可以通过电子邮件地址强制执行某些唯一性。

The hard part is distributing certs and getting IIS to ask the client for certs so your asp.net app can gain access to its information. 困难的部分是分发证书，并使IIS向客户端询问证书，以便您的asp.net应用程序可以访问其信息。 Once you have that all your requests will have something in Request.ClientCertificate which has all the details of their cert you'd need to authenticate them. 一旦有了所有请求，您的Request.ClientCertificate就会包含某些内容，其中包含证书的所有详细信息，您需要对它们进行身份验证。

I'm assuming you are using .Net framework. 我假设您正在使用.Net框架。 You may try to use HttpRequest.ClientCertificate property. 您可以尝试使用HttpRequest.ClientCertificate属性。 Certificate validation is already done with ASP.NET you just need check IsValid property. 证书验证已经通过ASP.NET完成，您只需要检查IsValid属性即可。 Rest of validation is map certificates to users. 剩下的验证工作是将证书映射到用户。

If all certificates are issued by same CA you can use the certificate serial number. 如果所有证书由同一CA颁发，则可以使用证书序列号。 If not include the HttpClientCertificate.Issuer property with serial number. 如果不包含，则将HttpClientCertificate.Issuer属性包含序列号。

Thumbprint is hard to use later if you need some debugging. 如果需要调试，以后很难使用指纹。

You questions contains 2 different parts: 您的问题包含2个不同部分：

1) How do I verify that client certificate was issued by me and in good standing? 1）我如何验证客户证书是由我签发并信誉良好的？

Very general answer is that you validate it's chain against trusted root certificate. 非常笼统的答案是，您根据受信任的根证书验证它的链。 As example you can read it here: 例如，您可以在这里阅读：

http://msdn.microsoft.com/en-us/library/windows/desktop/dd407310(v=vs.85).aspx http://www.openssl.org/docs/apps/verify.html http://www.cryptosys.net/pki/x509_validatechain.html http://msdn.microsoft.com/zh-cn/library/windows/desktop/dd407310(v=vs.85).aspx http://www.openssl.org/docs/apps/verify.html http：// /www.cryptosys.net/pki/x509_validatechain.html

In most cases you don't have to write any code to do this. 在大多数情况下，您无需编写任何代码即可执行此操作。 All you need is to install (as example) Apache before your web server. 您需要做的只是在Web服务器之前安装（例如）Apache。 Apache can be configured to request and validate client certificate against trusted certificate(s). 可以将Apache配置为根据受信任的证书请求和验证客户端证书。

2) How do I map a certificate to a user? 2）如何将证书映射到用户？

If you are looking for a common way how it's done then you should use Subject Alternative Name property in certificate to store principal name. 如果您正在寻找完成操作的通用方法，则应在证书中使用“使用者备用名称”属性存储主体名称。 This is the most common way which is used by multiple providers. 这是多个提供商使用的最常见的方法。

Here are couple of Windows related interesting links: 这是几个与Windows相关的有趣链接：

http://technet.microsoft.com/en-us/library/cc736706(v=ws.10).aspx http://technet.microsoft.com/zh-CN/library/cc736706(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc736781(WS.10).aspx http://technet.microsoft.com/zh-CN/library/cc736781(WS.10).aspx

However, generally speaking, you can use any unique thing in certificate for mapping. 但是，一般而言，您可以在证书中使用任何唯一的东西进行映射。