如何使用第三方 CA-非自签名 CA 生成客户端证书
我正在尝试导出客户端证书以供网络浏览器使用。
目标是使用
1) 如果它是受信任的根 CA,我是否需要将 CA 包含在客户端 pfx 中? 这两个例子我都见过。
没有 CA:
openssl pkcs12 -export -inkey KEYFILENAME -in CERTFILEFILENAME -out XXX.pfx
有 CA:
openssl pkcs12 -export -in my.crt- inkey my.key -certfile my.bundle -out my.pfx
2) 我是否仍需要在 httpd.conf 设置中包含受信任 CA 的 SSLCACertificateFile?
SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt
<Location /secure/area>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
I am trying to trying to export a client certificate for use with a web browser.
The goal is to restrict access using the <Location> directive to the admin area. I have seen numerous tutorials on using self signed CAs. How would you do this using a third party?
1) Do I need to include the CA in the client pfx if it is a trusted root CA? I have seen both examples.
Without CA:
openssl pkcs12 -export -inkey KEYFILENAME -in CERTFILEFILENAME -out XXX.pfx
With CA:
openssl pkcs12 -export -in my.crt- inkey my.key -certfile my.bundle -out my.pfx
2) Do I need to still include SSLCACertificateFile for trusted CA in the httpd.conf setup?
SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt
<Location /secure/area>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您不能使用第三方 CA 签名证书颁发客户端证书。 您必须拥有自签名 CA 来颁发客户端证书,并将该 CA 指定为
SSLCACertificateFile示例:
请注意,
apachelca2.pem中同时包含密钥和证书...命令颁发客户端证书的行:You can not issue client certificates with third party CA signed certificate. You have to have self signed CA for issuing of client certificates and specify this CA as
SSLCACertificateFileSample:
note that
apachelca2.pemhas both key and certificate in it... command lines to issue client certificates: