如何创建用于通过SSL进行双向身份验证的本地测试的客户端证书? [英] How do I create client certificates for local testing of two-way authentication over SSL?
问题描述
我正在尝试在运行IIS7的网络应用上设置双向身份验证。客户端将主要是移动设备,首先,我尝试使用第三代iPad进行演示。我以为首先要使其在我的工作站(也正在运行IIS)上运行,然后在iPad上复制工作证书。
I'm trying to set-up two-way authentication on a web app running on IIS7. The clients are going to mostly be mobile devices and in the first instance I'm trying to get a demo running using a 3rd generation iPad. I thought I'd start with getting it running on my workstation (which is also running IIS) first and then copy the working certificate over the the iPad.
但是我我撞到了墙。
我已经知道该站点可以通过https安全地运行,并且已经安装了自签名服务器证书,但是我似乎无法弄清楚如何生成可以在iPad上安装的客户端证书。当我在运行Windows 7的本地工作站上工作时,不能使用常规的 http:// machinename / CertSvr 来做到这一点。
I've got as far as having the site running securely over https and have installed a self-signed server certificate, however I can't seem to figure out how to generate a client certificate which I can install on the iPad. As I'm working on a local workstation running Windows 7 I can't use the usual http://machinename/CertSvr to do this.
所以我想知道是否有一种获取 makecert 的方法来生成测试客户端证书,或者我是否可以更改服务器证书以使其适合在客户端上使用。或者也许有一些工具在Googling的最后一天尚未发现?
So I'm wondering if there a way of getting makecert to generate test client certificates or whether I can change the usage flag in the server certificate to make it suitable for use on the client. Or perhaps there is some tool which the last day of Googling has not yet discovered?
更新:
我找到了本指南,然后将其遵循信件。一切似乎都正常,没有错误,我最终得到了两个pfx文件,一个用于服务器,一个用于客户端(我使用 pvk2pfx 生成了这些文件,并保留了原始文件 .pvk 和 .cer 文件以防万一)。
I found this guide and followed it to the letter. It all seemed to work, no errors, and I ended up with two pfx files, one for the server and one for the client (I generated these using pvk2pfx and kept the original .pvk and .cer files just in case).
我在证书(本地计算机)>下安装了服务器证书。受信任的根证书颁发机构,并将客户端证书安装在证书(当前用户)>下个人。我还已将服务器证书(CA证书)导入IIS。将IIS配置为接受或忽略客户端证书时,一切正常。但是,一旦将其设置为要求,则在请求该网站时我会得到403.7。我还尝试过将客户端证书导入IE / Chrome中的证书存储,但又没有骰子。
I installed the server certificate under Certificates (Local Computer) > Trusted Root Certification Authority and installed the client certificate under Certificates (Current User) > Personal. I have also imported the server certificate (the CA one) into IIS. It all works fine when IIS is configured to accept or ignore client certificates. However once it is set to 'Require' I'm getting a 403.7 when requesting the site. I've also tried importing the client certificate to the certificates store in IE/Chrome but again no dice.
是否有明显的错误?
推荐答案
当您问这个问题时也许不存在,但是Microsoft现在有一个指南正是这样做的。易于遵循,对我来说完美无缺!
Maybe this didn't exist when you asked this question but microsoft now has a GUIDE for doing exactly this. Easy to follow and worked perfectly for me!
这篇关于如何创建用于通过SSL进行双向身份验证的本地测试的客户端证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
