Java 有没有办法通过浏览器测试2路ssl?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19486200/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is there a way to test 2 way ssl through browser?
提问by mel3kings
If so, How do you set certificate for authentication, what files do you need? is it .pfx? How would you install that in browser? Been stuck trying to test 2 way ssl through browser. I have a webservice, and trying to connect always returns certification authentication failed.
如果是这样,您如何设置用于身份验证的证书,您需要哪些文件?是 .pfx 吗?你会如何在浏览器中安装它?一直试图通过浏览器测试 2 路 ssl。我有一个网络服务,尝试连接总是返回认证认证失败。
采纳答案by gtrig
Expanding on nickrak's answer. 2-way SSL means that the client trusts the webservice, and that the webservice trusts/authenticates the client.
扩展 nickrak 的答案。2-way SSL 意味着客户端信任 webservice,并且 webservice 信任/验证客户端。
On the webservice side:
在网络服务方面:
Add the client's CA cert into the webservice's trusted certificates. The "CN" in the webservice server certificate must match the URL of the webservice. The webservice server certificate must not be expired. The webservice may choose to do further authentication based on the client certificate...for example, is the client certificate in a "whitelist" of authorized clients. Perhaps the webservice has multiple levels of access, so the client certificate is checked to determine how much access to give the client.
将客户端的 CA 证书添加到 Web 服务的可信证书中。webservice 服务器证书中的“CN”必须与 webservice 的 URL 匹配。Web 服务服务器证书不得过期。webservice 可能会选择根据客户端证书进行进一步的身份验证……例如,客户端证书是否在授权客户端的“白名单”中。也许 Web 服务有多个访问级别,因此检查客户端证书以确定授予客户端多少访问权限。
On the client side:
在客户端:
The CA that signed the webservice server certificate will need to be added to the client's trusted certificate list. In a browser, this will be in the "Trusted Root Certification Authorities" section (IE, Chrome) or "Authorities" section (Firefox). The extensions for these certificates are usually .der, .cer, .crt, or .pem. Also, the client's own private key/certificate combination need to be added to the client browser. This will be in the "Personal" section (IE, Chrome) or "Your Certificates" (Firefox). The extensions for these keystores are usually .p12 or .pfx.
签署 webservice 服务器证书的 CA 将需要添加到客户端的可信证书列表中。在浏览器中,这将在“受信任的根证书颁发机构”部分(IE、Chrome)或“权威”部分(Firefox)中。这些证书的扩展名通常是 .der、.cer、.crt 或 .pem。此外,客户端自己的私钥/证书组合需要添加到客户端浏览器。这将在“个人”部分(IE、Chrome)或“您的证书”(Firefox)中。这些密钥库的扩展名通常是 .p12 或 .pfx。
回答by nickrak
- Add the client's CA's public certificate to the Trusted Root Certificate Store.
- Add the client's public and private key to the browser's Personal Certificate Store. (usually a pfx, but might also be a der/pem/crt/cer.)
- Navigate to page requiring certificate
- Optionally, depending on browser: select the certificate you want to use for this connection.
- Hopefully, success.
- 将客户端的 CA 公共证书添加到受信任的根证书存储。
- 将客户端的公钥和私钥添加到浏览器的个人证书存储中。(通常是 pfx,但也可能是 der/pem/crt/cer。)
- 导航到需要证书的页面
- 或者,取决于浏览器:选择要用于此连接的证书。
- 希望,成功。
