客户证书的身份验证如何工作
- 我正在开发一项服务,我将在SSL终止代理后面部署该服务。
- SSL不在专用网络中使用。
- 我的API的客户想在标题中传递其证书。我们不会使用相互的TLS。
- 一旦我的服务收到标题中的证书请求,我应该如何验证它?
我的理解是:
- 客户的证书将包含其身份,公钥和证书授权的签名。
- 一旦收到他们的证书,我应该能够验证证书授权的公共密钥的确是合法的。
但是,我应该如何验证客户声称自己是谁而不是简单地重播证书?从理论上讲,我可以通过用公共密钥对某些内容进行加密,然后要求他们解密,但这将需要其他步骤。
- I am developing a service which I will deploy behind an ssl terminating proxy inside a private network.
- SSL is NOT used inside the private network.
- The client of my API wants to pass their certificate in a header. We are NOT going to use mutual TLS.
- Once my service receives a request with a certificate in a header, how should I validate it?
My understanding is that:
- The client's certificate will contain their identity, public key and a signature of a Certificate Authority.
- Once I receive their certificate I should be able to verify that it is indeed legit with the public key of a Certificate Authority.
But how should I verify that the client is who they claim to be and not simply replaying the certificate? I could, in theory, challenge their certificate by encrypting something with their public key and then asking them to decrypt it but this will require additional steps.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
客户端还将发送一些签名的内容(例如签名的用户ID或签名令牌),您可以使用公钥来验证签名。如果验证签名,则证明发件人拥有他发送的公共密钥的私钥。
Client will also send some signed content (say signed userid or signed token) and you can use public key to verify signature. If Signature is verified, it proves that sender owns the private key for the public key he had sent.