apache SSLCACertificateFile 和 SSLCertificateChainFile 的区别
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1899983/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Difference Between SSLCACertificateFile and SSLCertificateChainFile
提问by nam
I provide SSL pages on my web server, and I have a question. What is the difference between SSLCACertificateFile and SSLCertificateChainFile?
我在我的网络服务器上提供 SSL 页面,我有一个问题。SSLCACertificateFile 和 SSLCertificateChainFile 有什么区别?
When I use SSLCertificateChainFile, I got warnings from Japanese cellular phone browser, but when I use PC browser(like IE, FF), there was no problem. On the other hand, SSLCACertificateFile didn't cause any problem for both browsers.
当我使用 SSLCertificateChainFile 时,我收到来自日本手机浏览器的警告,但是当我使用 PC 浏览器(如 IE、FF)时,没有问题。另一方面,SSLCACertificateFile 不会对两种浏览器造成任何问题。
Is there any difference when browsers connect to apache?
浏览器连接apache有什么区别吗?
回答by BMDan
SSLCertificateChainFile was a correct option to choose but this directive became obsolete as of Apache 2.4.8. This directive caused the listed file to be sent along with the certificate to any clients that connect.
SSLCertificateChainFile 是一个正确的选择,但该指令从 Apache 2.4.8开始已过时。该指令导致列出的文件与证书一起发送到任何连接的客户端。
SSLCACertificateFile(hereafter "CACert") supersedes SSLCertificateChainFile (hereafter "Chain"), and additionally permits the use of the cert in question to sign clientcertificates. This sort of authentication is quite rare (at least for the moment), and if you aren't using it, there's IMHO no reason to augment its functionality by using CACert instead of Chain. On the flipside, one could argue that there's no harm in the additional functionality, and CACert covers all cases. Both arguments are valid.
SSLCACertificateFile(以下简称“CACert”)取代 SSLCertificateChainFile(以下简称“Chain”),并另外允许使用相关证书来签署客户端证书。这种身份验证非常罕见(至少目前是这样),如果您不使用它,恕我直言,没有理由通过使用 CACert 而不是 Chain 来增强其功能。另一方面,人们可能会争辩说附加功能没有坏处,而 CACert 涵盖了所有情况。这两个论点都是有效的。
Needless to say, if you ask the cert vendor, they'll always push for CACert over Chain, since it gives them another thing (client certs) that they can potentially sell you down the line. ;)
不用说,如果你问证书供应商,他们总是会通过 Chain 来推动 CACert,因为它给了他们另一件事(客户端证书),他们可能会把你卖掉。;)
回答by Alexander Pogrebnyak
Actually, both may be valid options.
实际上,两者都可能是有效的选择。
Use SSLCertificateChainFile to publish your certificate signed by public certificate authority (VeriSign, RapidSSL, etc.)
使用 SSLCertificateChainFile 发布由公共证书颁发机构(VeriSign、RapidSSL 等)签署的证书
Use SSLCACertificateFile to provide your 'private' CA, that can issue client certificates, that you can distribute to some selected users. These clientcertificates are actually great for authentication (compared with the basic password authentication), and typically are not required to be distributed by a public CA (hence you can save some money).
使用 SSLCACertificateFile 提供您的“私有”CA,它可以颁发客户端证书,您可以将其分发给某些选定的用户。这些client证书实际上非常适合身份验证(与基本密码身份验证相比),并且通常不需要由公共 CA 分发(因此您可以节省一些钱)。
So, if you want to add secure authorization to some portion of your web site, do this:
因此,如果您想为网站的某些部分添加安全授权,请执行以下操作:
<Directory /var/www/html/authorized>
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +StrictRequire
SSLUserName SSL_CLIENT_S_DN_CN
SSLRequireSSL
</Directory>
Just for short explanation SSLUserName SSL_CLIENT_S_DN_CNwill set the authenticated user name to certificate's CommonName, versus the whole x509 '/OU=Foo/CN=...' subject.
只是为了简短的解释,SSLUserName SSL_CLIENT_S_DN_CN会将经过身份验证的用户名设置为证书的 CommonName,而不是整个 x509 '/OU=Foo/CN=...' 主题。
