如何从断开的网络生成 SSL 客户端证书?

发布于 2024-07-09 11:43:48 字数 990 浏览 14 评论 0原文

我有一个独特的情况,我需要在 IE 浏览器和 IIS 6 之间通过 HTTPS 实现客户端证书身份验证。浏览器和 IIS 由防火墙隔开,仅允许浏览器通过 SSL 端口连接到 IIS。

我们在与 IIS 相同的网络上有一个内部证书服务器。 我已经为 IIS 生成了 SSL 服务器证书并已安装。 我将 IIS 配置为仅允许 SSL,需要客户端证书。

这里的限制是浏览器计算机位于断开连接的网络上,因此我无法访问 CA 的 http://caserver/CertSrv URL 并像平常一样请求客户端证书

我想如果有一种方法可以根据根 CA 的公钥生成 CSR,我可以将其复制到 CA 服务器以生成客户端证书。 但是,IE 或证书 MMC 中似乎没有规定可以执行此操作。 证书 MMC 似乎需要直接连接到 CA。

以前有人解决过这个问题吗?

仅供参考,所有引用的服务器都运行 Windows Server 2003。

更新:感谢 Jonas Oberschweiber 和 Mark Sutton 指出了 CertReq.exe 命令行工具。 使用它,我生成了一个 CSR,从而生成了一个成功安装的客户端证书。 然而,当访问有问题的 IIS 服务器时,IE 显然没有发送此客户端证书; 它仍然生成 403.7“禁止:需要 SSL 客户端证书。” 我怀疑原因是客户端证书的主题字段与运行 IE 的帐户的用户 ID 不匹配,因此可能不会发送不匹配的客户端证书。 主题与我用来提交 CSR 并在防火墙另一端生成客户端证书的用户的主题相匹配。

主题字段重要吗? 我还需要做些什么才能使 IE 发送此证书吗?

I have a unique situation where I need to implement client certificate authentication over HTTPS between IE browser and IIS 6. The browser and IIS are separated by a firewall that only allows the browser to connect to IIS on the SSL port.

We have an internal certificate server on the same network as IIS. I've generated an SSL server cert for IIS and that is installed. I configured IIS to only allow SSL, require client certificates.

The limitation here is the browser machine is on a disconnected network, so I can't go to the CA's http://caserver/CertSrv URL and request a client cert like you normally would.

I figured if there were a way that I could generate a CSR against the Root CA's public key, I can copy it to the CA server to generate the client cert. But, there appears to be no provision in IE or the Certificates MMC to do this. The Certificates MMC seems to require a direct connection to the CA.

Has anyone solved this before?

FYI, All servers referenced run Windows Server 2003.

Update: Thanks to Jonas Oberschweiber and Mark Sutton for pointing out the CertReq.exe command line tool. Using this, I've generated a CSR, and consequently a client certificate that installs successfully. However, IE is apparently not sending this client cert when accessing the IIS server in question; it still generates a 403.7 "Forbidden: SSL client certificate is required." I suspect that the reason is that the Subject field of the client cert does not match the user id of the account running IE, thus perhaps not sending a mismatching client cert. The Subject matches that of the user I used to submit the CSR and generate the client cert on the other end of the firewall.

Does the Subject field matter? Is there something else I need to do to enable IE to send this cert?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

祁梦 2024-07-16 11:43:48

在客户端上使用 certreq 命令,如下所示

certreq -new -f filein c:\certrequest.req

中的文件示例

以下是[Version]
签名=“$Windows NT$”

[NewRequest]
主题=“CN=dc1.extranet.frbrikam.com”
仅加密 = False
可导出 = False
密钥长度 = 1024
关键规格 = 1
密钥用法 = 0xA0
MachineKeySet = True
ProviderName =“Microsoft RSA SChannel 加密提供程序”
提供商类型 = 12
请求类型 = CMC

[请求属性]
CertificateTemplate=TLSServer

将 CertificateTemplate 替换为您的证书模板的名称

获得请求文件后,您需要将其通过 U 盘传送到证书颁发机构,并照常使用 Web 注册界面来处理请求文件。

将输出证书带回客户端打开它并单击安装。

Use the certreq command on your client as follows

certreq -new -f filein c:\certrequest.req

Here is and example of the filein

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject="CN=dc1.extranet.frbrikam.com"
EncipherOnly = False
Exportable = False
KeyLength = 1024
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

[RequestAttributes]
CertificateTemplate=TLSServer

Replace the CertificateTemplate with the name of your certificate template

Once you have your request file you need to take it to the certificate authority on a usb stick and use the web enrolment interface as usual to process the request file.

Take the output certificate back to the client open it and click install.

手心的海 2024-07-16 11:43:48

您听起来好像已经尝试过一些事情,所以我猜您已经知道这些,但无论如何我都会发布它们,以防万一: com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_ooiy.mspx?mfr=true" rel="nofollow noreferrer" title="证书命令行工具">证书命令行工具。 但是,我不确定他们是否按照您的意愿行事。

You sound like you have already tried a couple of things so my guess is that you are already aware of these, but I'm going to post them anyway, just in case: Certificate Command Line Tools. I am not sure, however, if they do what you want.

倾城°AllureLove 2024-07-16 11:43:48

使用可以看到 CA 服务器的第三台计算机访问您提到的 http://caserver/CertSrv 站点。 选择第三个选项,下载 CA 证书、cert chai 或 CRL。 在下一页上选择“下载 CA 证书链”,这将下载 p7b 文件。 使用闪存驱动器(或电子邮件等)将其传输到另一台计算机,这将允许您将其导入 IE 中的受信任根服务器。

http://technet.microsoft.com/en-us/library/cc787796。 ASPX

Go the http://caserver/CertSrv site that you mentioned using a 3rd computer that can see the CA server. Select the 3rd option, download a CA cert, cert chai, or CRL. On the next page select 'Download CA Certificate Chain', which will download the p7b file. Using a flash drive (or email, etc) transfer this to the other computer which will allow you to import it into the trusted root servers in IE.

http://technet.microsoft.com/en-us/library/cc787796.aspx

不顾 2024-07-16 11:43:48

建议更新,以防万一 - 服务器中的可信证书列表是什么?

主题 DN 与 Windows 用户名相同对我来说从来都不是问题 - 尽管我不经常使用 IIS。 然而,IIS 中的某个地方肯定有一个受信任的证书列表。 在我看来,此错误就像服务器的受信任证书列表不包括颁发客户端证书的 CA 或根 CA。

如果您在访问 IIS 服务器时从未在 IE 中看到证书选择弹出窗口,则尤其如此 - 即使您在 IE 证书存储中配置了证书。 这意味着客户端访问了服务器,服务器给出了受信任的证书列表,而客户端没有适合该列表的证书。 因此 SSL 会话进入禁止错误状态。

如果弹出证书选择窗口,并且您选择并发送了证书,则服务器端可能存在其他配置问题。

Suggestiong for the update, just in case - what is the trusted cert list of in the server?

Subject DN being the same as Windows username has never been a problem for me - although I don't use IIS much. However, somewhere in IIS there is sure to be a trusted certificate list. This error sounds to me like the server's trusted certs list does not include the CA or Root CA that issued the client certificate.

This is particularly true if you never get a certificate selection popup window in IE when you hit the IIS server - even though you have a certificate configured in your IE cert store. That means that the client hit the server, the server gave a list of trusted certs and the client didn't have a cert that fit the list. So the SSL session went to the Forbidden error state.

If the certificate selection window popped up, and you selected and sent the cert, there may be other configuration problems on the server side..

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文