Apache httpd:如何信任特定的客户端证书? [英] Apache httpd: How to trust specific client certificates?

问题描述

如何配置Apache httpd以信任特定的客户端证书?

How can I configure the Apache httpd to trust specific client certificates?

我们需要将对Web服务的访问限制为特定(已知)合作伙伴的服务器.
我们计划为此使用基于CA的解决方案(受信任的CA，仅在接受它们时才签署可信任的CSR)；但是，我们公司的CA不会为外部公司创建证书.

We need to restrict the access to a webservice to a specific (known) partner's servers.
We planned to use an CA-based solution for this (a trusted CA which would only sign trustworthy CSRs as we accepted them); however, our company's CA will not create Certificates for external companies.

无论如何要建立安全连接，直到必要的PKI准备好为止，我们希望将特定的客户端证书配置为在我们的Apache httpd代理上受信任.

In order to establish the secured connection anyway, until the necessary PKI is ready, we wanted to configure specific client certificates as trusted on our Apache httpd proxy.

但是httpd不接受客户端的连接，客户端正在尝试使用客户端证书进行连接，该客户端证书已添加到CACertificateFile(以Base64和DER格式(PEM)编码的级联x509证书)中，该证书已配置为虚拟主机.

But httpd does not accept connections by the clients, which are trying to connect by using the client certificate, which has been added to the CACertificateFile (concatenated x509 certificates encoded in Base64 and of DER format(PEM)), configured for the virtual host.

在这种情况下，客户端证书不是自签名证书.

The client certificate is in this case not a self-signed certificate.

推荐答案

您应该配置通过SSLCACertificateFile或SSLCACertificatePath信任的CA证书，并使用SSLVerifyClient(optional或required，而不是，它将不执行任何身份验证)以使服务器请求客户端证书.

You should configure the CA certificates you trust via SSLCACertificateFile or SSLCACertificatePath and use SSLVerifyClient (optional or required, not optional_no_ca, which wouldn't perform any authentication) to make the server request a client certificate.

如果直接在VirtualHost部分中使用SSLVerifyClient，则将在初始握手期间发送客户端证书.如果将其放在Directory/.htaccess中，则将重新协商客户端证书.

If you use SSLVerifyClient directly within your VirtualHost section, the client certificate will be sent during the initial handshake. If you put it within a Directory/.htaccess, the client certificate will be re-negotiated.

在初始握手中发送证书时，调试起来会更容易，因为客户端证书本身不会被加密.您应该能够通过Wireshark(在客户端发送的Certificate消息中)查看流量来查看它.调试时，值得检查服务器是否发送了Certificate Request消息，并查看其证书颁发机构列表.

It's easier to debug when the certificate is sent in the initial handshake, since the client certificate itself won't be encrypted. You should be able to see it by looking at the traffic with Wireshark (in the Certificate message sent by the client). When debugging, it's worth checking that a Certificate Request message is sent by the server, and looking at its certification authorities list.

造成问题的典型原因是，如果需要，客户端无法识别该列表，或者客户端未在链中发送其中间CA证书.

A typical cause of problem would be a client that doesn't recognise that list or a client that doesn't send its intermediate CA certificates in its chain, if needed.

如果您想更具体地授权某些证书，则可以检查变量SSL变量(例如SSL_CLIENT_S_DN_*)并在SSLRequire指令中使用它(请参阅

If you then want to authorise certain certificates more specifically, you can check variable SSL variables (e.g. SSL_CLIENT_S_DN_*) and use it in an SSLRequire directive (see example).

这篇关于Apache httpd:如何信任特定的客户端证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！