有没有办法通过浏览器测试 2 路 ssl?
如果是这样,你如何设置认证证书,你需要什么文件?是 .pfx 吗?您将如何在浏览器中安装它?一直试图通过浏览器测试 2 路 ssl.我有一个网络服务,但尝试连接总是返回认证身份验证失败.
If so, How do you set certificate for authentication, what files do you need? is it .pfx? How would you install that in browser? Been stuck trying to test 2 way ssl through browser. I have a webservice, and trying to connect always returns certification authentication failed.
推荐答案
扩展 nickrak 的答案.2-way SSL 表示客户端信任 Web 服务,并且 Web 服务信任/验证客户端.
Expanding on nickrak's answer. 2-way SSL means that the client trusts the webservice, and that the webservice trusts/authenticates the client.
在网络服务方面:
将客户端的 CA 证书添加到 Web 服务的可信证书中.CN"webservice 服务器证书中的必须与 webservice 的 URL 匹配.Web 服务服务器证书不得过期.Web 服务可以选择基于客户端证书进行进一步的认证……例如,客户端证书是否在白名单"中?的授权客户.也许 web 服务有多个级别的访问权限,因此检查客户端证书以确定授予客户端多少访问权限.
Add the client's CA cert into the webservice's trusted certificates. The "CN" in the webservice server certificate must match the URL of the webservice. The webservice server certificate must not be expired. The webservice may choose to do further authentication based on the client certificate...for example, is the client certificate in a "whitelist" of authorized clients. Perhaps the webservice has multiple levels of access, so the client certificate is checked to determine how much access to give the client.
在客户端:
需要将签署 Web 服务服务器证书的 CA 添加到客户端的受信任证书列表中.在浏览器中,这将位于受信任的根证书颁发机构"中.部分(IE、Chrome)或权威";部分(火狐).这些证书的扩展名通常是 .der、.cer、.crt 或 .pem.此外,还需要将客户端自己的私钥/证书组合添加到客户端浏览器中.这将在个人"中.部分(IE、Chrome)或您的证书"(火狐).这些密钥库的扩展名通常是 .p12 或 .pfx.
The CA that signed the webservice server certificate will need to be added to the client's trusted certificate list. In a browser, this will be in the "Trusted Root Certification Authorities" section (IE, Chrome) or "Authorities" section (Firefox). The extensions for these certificates are usually .der, .cer, .crt, or .pem. Also, the client's own private key/certificate combination need to be added to the client browser. This will be in the "Personal" section (IE, Chrome) or "Your Certificates" (Firefox). The extensions for these keystores are usually .p12 or .pfx.
相关文章