通过X509证书在asp.net客户端身份验证 [英] Client Authentication via X509 Certificates in asp.net

问题描述

我有一个asp.net应用程序，我需要进行身份验证使用X509证书的用户。也就是说，用户必须安装由我颁发的证书，使他可以在浏览器我的网站，我可以找出哪些用户，通过该证书。

I have an asp.net application and I need to authenticate users using X509 certificates. That is, the user must install a certificate issued by me so that he can browser my website and I can identify which user is, by this certificate.

我已经配置在IIS上的SSL，但它不是我要找的，现在，我不知道从哪里开始。

I have already configured SSL on IIS, but it's not what I'm looking for right now, and I don't know where to start.

如何在asp.net C＃实现这一目标？

How can I achieve this in asp.net c#?

推荐答案

要创建一个安全的认证机制，你可以使用客户端证书和用户名/密码。其原因是，一个证书是不能够被窃取（复制），但密码的东西，仅由人员已知的。另一种可能是在智能卡上的证书，由PIN保护。

To create a secure authentication mechanism you would use both client certificates and username / password. The reason is that a certificate is something that can be stolen (copied) but a password is something that is only known by the person. An alternative could be a certificate on a smartcard, protected by a PIN.

要使用ASP.NET应用程序中的客户端证书，你需要做到以下几点：

To use client certificates in ASP.NET applications you need to do the following:

第1步：在IIS管理器中，打开您的应用程序或网站，选择SSL设置，选择都需要SSL和需要客户端证书

Step 1: In IIS Manager, open your application or web site, choose SSL Settings and choose both Require SSL and Require Client certificate.

现在，当用户打开你的网站时，浏览器会提示他选择将在通信中使用的客户端证书。

Now when the user opens your web site, the browser will prompt him to select a client certificate that will be used in the communication.

重要提示在这一点上，你必须确保该证书是由你信任的（因为任何人都可以创建自己的自签名的证书）发行人

Important At this point you have to make sure that the certificate is issued by someone you trust (since anyone can create their own self-signed certificates).

第二步：添加配置项（无论是web.config文件，数据库等）。在这份名单中，你会增加整个CA（证书颁发机构）链的指纹为您的客户端证书。

Step 2: Add a configuration item (either web.config, database etc.). In this list you would add the thumbprints of the whole CA (certificate authority) chain for your client certificates.

<add key="ClientCertificateIssuerThumbprints" value="4901f5b87d736cd88792bd5ef7caee91bf7d1a2b,0113e31aa85d7fb02740a1257f8bfa534fb8549e,c9321de6b5a82666cf6971a18a56f2d3a8675602"/>

第3步：创建典型的用户名/密码登录页面。验证用户名/密码。

Step 3: Create a classic username / password login page. Verify the username/password.

第四步：以下code添加到您的登录页面：

Step 4: Add the following code to your login page:

var x509 = new X509Certificate2(this.Request.ClientCertificate.Certificate);
var chain = new X509Chain(true);
chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
chain.Build(x509);

var validThumbprints = new HashSet<string>(
    System.Configuration.ConfigurationManager.AppSettings["ClientCertificateIssuerThumbprints"]
        .Replace(" ", "").Split(',', ';'),
    StringComparer.OrdinalIgnoreCase);

// if the certificate is self-signed, verify itself.
for (int i = chain.ChainElements.Count > 1 ? 1 : 0; i < chain.ChainElements.Count; i++)
{
    if (!validThumbprints.Contains(chain.ChainElements[i].Certificate.Thumbprint))
        throw new UnauthorizedAccessException("The client certificate selected is not authorized for this system. Please restart the browser and pick the certificate issued by XXXXX");
}

// certificate Subject would contain some identifier of the user (an ID number, SIN number or anything else unique). here it is assumed that it contains the login name and nothing else
if (!string.Equals("CN=" + login, x509.Subject, StringComparison.OrdinalIgnoreCase))
    throw new UnauthorizedAccessException("The client certificate selected is authorized for another user. Please restart the browser and pick another certificate.");

仅当两个密码和证书已检查时，用户应在系统中允许的

Only when both the password and the certificate have been checked, the user should be allowed in the system.

这篇关于通过X509证书在asp.net客户端身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！