apache 如何支持 SSL 客户端证书认证?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/28599/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I support SSL Client Certificate authentication?
提问by James A. Rosen
I want to do what myopenid does -- once you've logged, you can click a button that generates you an SSL certificate; the browser then downloads this certificate and stores it. When you later go back to yourid.myopenid.com, your browser can use its stored certificate for authentication so you don't ever need a password.
我想做 myopenid 所做的——一旦你登录,你就可以点击一个按钮来生成一个 SSL 证书;浏览器然后下载此证书并存储它。当您稍后返回 yourid.myopenid.com 时,您的浏览器可以使用其存储的证书进行身份验证,因此您永远不需要密码。
So my questions is what is required to get this working? How do I generate certificates? How do I validate them once they're presented back to me?
所以我的问题是需要什么才能让它工作?如何生成证书?一旦它们被呈现给我,我如何验证它们?
My stack is Rails on Apache using Passenger, but I'm not too particular.
我的堆栈是使用乘客的 Apache 上的 Rails,但我不太特别。
采纳答案by russtbarnacle
These are usually referred to as client side certificates.
这些通常称为客户端证书。
I've not actually used it but a modified version of restful-authentication can be found here herethat looks like what your after.
我实际上并没有使用它,但是可以在此处找到修改后的 Restful-authentication 版本,看起来像您所追求的那样。
I found this via Dr. Nic's post
我通过Nic 博士的帖子找到了这个
回答by Mark Renouf
Depends on the server, but the simplest solution I know of, using Apache:
取决于服务器,但我所知道的最简单的解决方案是使用 Apache:
"When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command: openssl x509 -noout -subject -in certificate.crt). Note that no password is obtained from the user... "
“启用此选项后,客户端 X509 证书的主题专有名称 (DN) 将转换为 HTTP 基本授权用户名。这意味着可以使用标准的 Apache 身份验证方法进行访问控制。用户名只是主题客户端的 X509 证书(可以通过运行 OpenSSL 的 openssl x509 命令确定:openssl x509 -noout -subject -in certificate.crt)。注意,没有从用户那里获取密码......”
Not sure about rails, but the usual REMOTE_USER environment variable should be accessible in some way.
不确定 rails,但通常的 REMOTE_USER 环境变量应该可以以某种方式访问。
回答by erickson
If you want to generate certificates, you need to cause the client to generate a key pair, and send you at least the public key. You can do this in Firefox via a Javascript call, it's crypto.generateCRMFRequest. I'm guessing there are browser-specific methods available in other browsers too. But first, you need to figure out how to issue a certificate once you get a public key.
如果你想生成证书,你需要让客户端生成一个密钥对,并且至少向你发送公钥。您可以通过 Javascript 调用在 Firefox 中执行此操作,它是crypto.generateCRMFRequest。我猜在其他浏览器中也有特定于浏览器的方法。但首先,您需要弄清楚在获得公钥后如何颁发证书。
You could script something on the server with OpenSSL, but it has built-in support for CSRs, not the CRMF format Firefox will send you. So you'd need to write some code to convert the CRMF to a CSR, which will require some sort of DER processing capability… I'm just scratching the surface here—operating a CA, even for a toy application, is not trivial.
您可以使用 OpenSSL 在服务器上编写一些脚本,但它内置了对 CSR 的支持,而不是 Firefox 将发送给您的 CRMF 格式。因此,您需要编写一些代码来将 CRMF 转换为 CSR,这将需要某种 DER 处理能力……我在这里只是浅尝辄止——即使对于玩具应用程序,操作 CA 也并非易事。
SSO solutions like OpenId and PKI solutions do overlap, and there is an elegance in PKI. But the devil is in the details, and there are good reasons why this approach has been around a long time but has only taken off in government and military applications.
像 OpenId 和 PKI 解决方案这样的 SSO 解决方案确实重叠,并且 PKI 中有一种优雅。但问题在于细节,这种方法存在很长时间但只在政府和军事应用中流行是有充分理由的。
If you are interested in pursuing this, follow up with some questions specific to the platform you would want to develop your CA service on.
如果您对此感兴趣,请跟进一些特定于您希望在其上开发 CA 服务的平台的问题。
回答by Rich
You can generate a certificate in the client's browser using browser-specific code. See this question
您可以使用特定于浏览器的代码在客户端的浏览器中生成证书。看到这个问题
You could also generate SSL client certs server-side using OpenSSL in Ruby (see this q). (This will work in any browser without browser-specific code, but your server will have generated the client's private key, which is not ideal for crypto purists.)
您还可以在 Ruby 中使用 OpenSSL 在服务器端生成 SSL 客户端证书(请参阅此 q)。(这将适用于没有浏览器特定代码的任何浏览器,但您的服务器将生成客户端的私钥,这对于加密纯粹主义者来说并不理想。)
Whichever method you use to generate them, you will then need to configure your webserver to require the client certificates. See the Apache docsfor an example.
无论您使用哪种方法生成它们,您都需要配置您的网络服务器以要求客户端证书。有关示例,请参阅Apache 文档。
回答by Rich
I've been working on a solution to this problem. I wanted to do the same thing and I know lots of other website owners want this feature, with or without a third party provider.
我一直在研究这个问题的解决方案。我想做同样的事情,我知道很多其他网站所有者都想要这个功能,无论是否有第三方提供商。
I created the necessary server setup and a firefox plugin to handle the certificate-based authentication. Go to mypassfree.com to grab the free firefox plugin. Email me (link on that page) for the server setup as I haven't packaged it yet with a nice installer.
我创建了必要的服务器设置和一个 firefox 插件来处理基于证书的身份验证。转到 mypassfree.com 获取免费的 Firefox 插件。给我发电子邮件(该页面上的链接)服务器设置,因为我还没有用一个很好的安装程序打包它。
Server setup is Apache2 + OpenSSL + Perl (but you could rewrite the perl scripts in any language)
服务器设置是 Apache2 + OpenSSL + Perl(但你可以用任何语言重写 perl 脚本)
Jonathan
乔纳森
