存储客户证书的最佳实践? [英] Best practice to store client certificates?
问题描述
我正在构建一个需要相互认证的应用程序.因此,我将使我的用户能够上传一堆客户端证书,并且当他们拨打电话时,他们可以使用其中任何一个.我将匹配传入请求中的客户端证书,以查看它是否与任何已存储的证书匹配,如果匹配,则该请求将被接受.
I am building an app that requires mutual authentication. So I will enable my users to upload a bunch of client certs and when they make calls, they can use either of them. I will match the client cert from the incoming request to see if it matches any of the ones already stored, and if it does, the request will be honored.
现在,我正在尝试找出存储这些客户端证书的最佳方法.我以为我可以将它们存储在数据库中,或某种文件/blob存储中,或者我知道它们也可以安装在计算机中的存储中?
Now I'm trying to figure what's the best way to store these client certs. I was thinking I could store them in a DB, or some kind of file/blob store, or I've learned they can also be installed in the store in the machine?
这些选项中的哪一个是理想的还是被视为最佳实践?
Which one of these options is ideal or considered as best practice?
存储客户端证书的最佳做法是什么?
What is the best practice to store client certificates?
我的服务器实际上正在Windows计算机上运行带有其他用户将使用的IIS的服务.
My server is actually running a service on a Windows machine with IIS that other users will use.
推荐答案
1.)要回答您的实际问题:
1.) To answer your actual question:
You can store the X.509 certificates anywhere you want, lets call the location a truststore. If it is in your file system, a database or somewhere else. The X.509 certificates can be made public to anyone, the do not contain any sensitive information. Only the public key of the public/private keypair is stored in the X.509 certificate.
您只需要确保没有其他人可以将证书添加/删除/修改到信任库中.否则,恶意软件将能够在您的信任库中添加例如他的 X.509证书,您将立即信任他.
You just have to make sure that NO ONE ELSE is able to add/remove/modify certificates into your truststore. Otherwise the malicious person will be able to add e.g., his X.509 certificate into your truststore and you would trust him right away.
2.)关于您的评论
I will match the client cert from the incoming request to see if it matches any of the ones already stored, and if it does, the request will be honored.
对证书进行简单的比较不够.任何人都可以向您发送任何证书.某人向您发送证书的事实否证明该人是与该证书相对应的私钥的所有者.
A simple comparison of certificates is not enough. Anyone can send you any certificate. The fact that someone sends you a certificate is no proof that the person is the owner of the private key, corresponding to that certificate.
为了确定,向您发送请求(您的传入请求)的人需要在例如传入请求上生成签名.如果您收到传入的请求以及签名,则可以使用X.509证书来检查签名是否有效.有很多签名方案,您需要弄清楚要使用的签名方案(有些很简单,有些更复杂).
In order to be sure, the person who sends you the request (your incoming request) needs to generate a signature over e.g., the incoming request. If you receive the incoming request together with the signature, you can use the X.509 certificate to check if the signature is valid or not. There are lots of signature schemes out there, you need to figure our which you want to use (some are simple, some are more complicated).
这篇关于存储客户证书的最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
