当前位置:theitroad>apache 如何使用第三方 CA-NOT 自签名 CA 生成客户端证书

apache 如何使用第三方 CA-NOT 自签名 CA 生成客户端证书

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/940262/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-09-13 17:40:56  来源:igfitidea点击:

How to generate a client certificate using a third party CA-NOT Self Signed CA

apacheopensslssl-certificatehttpd.conf

提问by rihards

I am trying to trying to export a client certificate for use with a web browser.

我正在尝试导出用于 Web 浏览器的客户端证书。

The goal is to restrict access using the <Location> directive to the admin area. I have seen numerous tutorials on using self signed CAs. How would you do this using a third party?

目标是使用 <Location> 指令限制对管理区域的访问。我看过很多关于使用自签名 CA 的教程。你会如何使用第三方来做到这一点?

1) Do I need to include the CA in the client pfx if it is a trusted root CA? I have seen both examples.

1) 如果它是受信任的根 CA,我是否需要在客户端 pfx 中包含 CA?我看过这两个例子。

Without CA:

没有 CA:

openssl pkcs12 -export -inkey KEYFILENAME -in CERTFILEFILENAME -out XXX.pfx

With CA:

与 CA:

openssl pkcs12 -export  -in my.crt- inkey my.key -certfile my.bundle -out my.pfx

2) Do I need to still include SSLCACertificateFile for trusted CA in the httpd.conf setup?

2) 我是否还需要在 httpd.conf 设置中为受信任的 CA 包含 SSLCACertificateFile?

SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt
<Location /secure/area>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>

http://www.modssl.org/docs/2.8/ssl_howto.html#ToC8

http://www.modssl.org/docs/2.8/ssl_howto.html#ToC8

回答by rihards

You can not issue client certificates with third party CA signed certificate. You have to have self signed CA for issuing of client certificates and specify this CA as SSLCACertificateFile

您不能使用第三方 CA 签名证书颁发客户端证书。您必须拥有自签名 CA 才能颁发客户端证书并将此 CA 指定为SSLCACertificateFile

Sample:

样本:

    SSLCertificateFile /etc/apache2/ssl/apache.cer # site certificate signed by verisign
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key # site key for certificate signed by verisign
    SSLCACertificateFile /etc/apache2/ssl/apachelca2.pem # your self signed CA

note that apachelca2.pemhas both key and certificate in it... command lines to issue client certificates:

请注意,其中apachelca2.pem包含密钥和证书...用于颁发客户端证书的命令行:

openssl req -config /usr/share/apache2/ssleay.cnf -new -key client.key -out client.csr

openssl x509 -req -days 365 -CA /etc/apache2/ssl/apachelca2.pem -CAkey /etc/apache2/ssl/apachelca2.pem -CAcreateserial -in client.csr -extfile /usr/share/apache2/ssleay.cnf -extensions v3_req -out client.crt

相关推荐

如何在 Apache 2.2 上设置虚拟主机

如何在 Apache 2.2 上设置虚拟主机

apache 我可以像在 PHP 中一样找到 Web 服务器正在运行的用户吗?

apache 我可以像在 PHP 中一样找到 Web 服务器正在运行的用户吗?

apache 如何绕过这个无效的类加载器层次结构?

apache 如何绕过这个无效的类加载器层次结构?

apache 如何停止无限重定向循环?

apache 如何停止无限重定向循环?

相关推荐
最近更新
标签