Chrome浏览器如何知道要提示网站的客户端证书? [英] How Chrome browser know which client certificate to prompt for a site?

问题描述

我正在使用Tomcat为我的项目设置证书认证.对于cURL之类的命令行客户端，它可以正常工作.

I'm setting up certificate authentication for my project using Tomcat. It works ok for command line client such as cURL.

我在Chrome浏览器中安装了许多客户端证书.有些用于连接到我的网站，有些用于不同的目的，与我的项目无关.

I have many client certificates installed in Chrome browser. Some are using to connect to my site, others are used for different purposes and not relate to my project.

每次我连接到我的网站时，Chrome都会显示一个可供选择的客户端证书列表.这些正是我安装的证书，而不是其他证书.我的问题是:

Every time I connect to my site, Chrome presents a list of client certificates for choosing. These are exactly the certificates that I installed and not others. My questions are:

1. Chrome如何知道要提供供选择的网站的客户端证书?
2. Tomcat将那些客户端证书存储在其信任库中.期间 SSL hanshake，Tomcat将请求客户端证书.可以 请求获得其信任的某些特定证书 商店，以便Chrome知道要显示什么?

1. How Chrome knows which client certificates are for a site to present for choosing?
2. Tomcat stores those client certificates in its trust store. During SSL hanshake, Tomcat will request for client certificate. Does it request for some specific certificates that it knows in its trusted store so that Chrome knows what to show?

推荐答案

客户端证书身份验证是在浏览器实现的SSL/TLS协议的握手阶段进行的.

The client certificate authentication is ruled in the handshake phase of the SSL/TLS protocol implemented by browsers.

1. 如果服务器需要客户端证书认证( 可选)，向客户端发送一条消息，其中包含已接受的列表 证书颁发机构(CA).如果服务器接受任何内容，则可以为空 证书.

1. If the server requires a client certificate authentication (it is optional), send a message to client with the list of the accepted certificate authorities (CA). Can be void if server accepts any certificate.

客户端选择安装在客户端密钥库中的证书，这些证书是由这些CA中的任何一个颁发的，并将列表提供给用户.如果是Chrome，浏览器会从Operative系统密钥库中选择用户安装的证书.

The client select the certificates installed in client keystore which have been issued by any of these CA's, and present the list to user. In case of Chrome, the browser selects the certificates installed by user from the Operative System Key Store.

用户选择一个证书，客户端在握手期间交换的已知数据上使用证书的私钥执行签名.

User choose a certificate, and the client performs a signature with the private key of the certificate over a known data interchanged during handshake.

在步骤2中只能选择带有私钥的证书.这是由于浏览器未选择设备中安装的受信任CA的证书的原因.您不拥有私钥

Only certificates with private key can be selected during step 2. This is the reason by with the browser does not select the certificates of trusted CA's installed in your device. You do not own the private key

这篇关于Chrome浏览器如何知道要提示网站的客户端证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！