是否可以自动选择正确的客户端证书? [英] Is it possible to automatically select correct client side certificate?
问题描述
我已经使用SSL用户端凭证设定了Apache httpd网站,只有在网路浏览器中安装正确凭证的使用者才能存取网站。
如果只有一个客户端证书安装的Web浏览器会自动选择它(它不是默认,但它可以在设置对话框中的某处配置)。但是,如果用户安装了多个证书,Web浏览器会显示证书列表,用户必须选择正确的证书才能继续。
问题是:是否有一种方法来配置httpd以发送提示,以便Web浏览器可以自动选择所需的证书?
SSL(TLS)协议仅允许服务器在客户端证书上指定两个约束:
- The type of certificate (RSA, DSA, etc.)
- The trusted certificate authorities (CAs) that signed the client certificate
$ b
您可以使用openssl s_client查看您的Apache服务器信任的客户端证书的CA。我不知道如何配置Apache来改变列表(对不起),但我敢打赌有一种方法。因此,如果您可以将列表限制为(例如)您自己的组织的CA,那么您将尽可能允许Web浏览器自动选择客户端证书。
正如Eugene所说,浏览器是否实际上是由特定的浏览器。
I have configured an Apache httpd website with SSL client side certificates so that only users who have installed the correct certificate in their web browsers can access the website.
If there is only one client side certificate installed the web browser will automatically select it (it is not the default, but it can be configured somewhere in the settings dialog). But if a user has more than one certificate installed, the web browser presents a list of certificates and the user has to pick the right one to continue.
The question is: Is there a way to configure httpd to send a hint so that the web browser can automatically select the required certificate?
The SSL (TLS) protocol only allows the server to specify two constraints on the client certificate:
You can use "openssl s_client" to see which CAs your Apache server trusts for client certs. I do not know how to configure Apache to change that list (sorry), but I bet there is a way. So if you can limit the list to (say) your own organization's CA alone, then you will have done all you can to allow a Web browser to select the client cert automatically.
As Eugene said, whether the browser actually does so is up to the particular browser.
这篇关于是否可以自动选择正确的客户端证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
