Windows 上特定于应用程序的 X509 证书?
我正在尝试在我的公司内建立一个内部 CA。这样做的主要目的之一是向我们的客户颁发证书,他们将使用该证书在我们的客户端和服务器应用程序(均基于 Windows 操作系统)之间建立 TLS 连接。我目前在以下限制下工作:
- 服务器证书将颁发给我们的每个服务器客户,并且应该安装在客户的服务器上,以便我们的服务器应用程序可以使用它来建立 TLS 会话。
- 我们的 CA 的受信任根证书将与我们的客户端应用程序打包在一起,并且应该与应用程序一起静默安装,以便客户端应用程序可以使用它来验证服务器证书。 (假定安装程序在客户端计算机上具有管理访问权限。)
- 受信任的根证书应可供客户端计算机上客户端应用程序的任何用户使用,并且不需要用户提供密码即可访问。
- 我犹豫是否将受信任的根证书放入本地计算机证书存储的“受信任的根证书颁发机构”部分,因为它可以用于比简单地验证我们的应用程序更大的范围(例如,验证 IE 的网页)。 )如果我们的根证书被泄露,我宁愿限制对我们自己的应用程序的损害。
我应该在服务器和客户端计算机(同样,都使用 Windows 操作系统)上的何处以及如何安装服务器证书和受信任的根证书,以便满足这些约束?
I am attempting to establish an internal CA within my company. One of the primary purposes of doing this is to issue certificates to our customers, which they will use to establish TLS connections between our client and server applications (both Windows OS-based). I am currently working under the following constraints:
- A server certificate will be issued to each of our server customers, and should be installed on the customer's server such that our Server Application can use it to establish TLS sessions.
- A trusted root certificate for our CA will be packaged with our Client Application, and should be installed silently along with the application in such a way that the Client Application can use it to verify the server certificate. (The installer is assumed to have administrative access on the client machine.)
- The trusted root certificate should be available to any user of the Client Application on the client machine, and should not require a password from the user to access.
- I hesitate to place the trusted root certificate in the "Trusted Root Certification Authorities" section of the Local Machine certificate store, because it could then be used in a larger scope than simply authenticating our application (to authenticate web pages for IE, for example.) In the event that our root certificate is compromised, I would rather limit the damage to our own application.
Where and how should I be installing the server certificate and the trusted root certificate on the server and client machines (again, both using a Windows OS) such that these constraints are met?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Common Application Data 文件夹是 CA 证书和服务器证书(但不是服务器私钥!)的适当位置。
安装的“方式”取决于打包和分发方法 - 对于 WiX,您可以使用类似于:
确定代码中 Common AppData 文件夹的位置取决于编程语言和框架。 .NET 有一个 Environment.SpecialFolders枚举。对于本机 C++,如何获取Windows 中的应用程序数据路径使用 C++? 是一个很好的起点。
The Common Application Data folder is an appropriate location for both the CA certificate and the server certificate (not the server private key, though!)
The 'how' of installation depends on the packaging and distribution method--for WiX, you'd use something like:
Determining the location of the Common AppData folder in code depends on the programming language and framework. .NET has a the Environment.SpecialFolders enumeration. For native C++, How do I get the application data path in Windows using C++? is a good place to start.