OpenRasta 的 PKI 身份验证 [英] PKI authentication for OpenRasta

问题描述

我正在考虑为 OpenRasta 服务实施 PKI 身份验证(需要 x.509 证书的 2 路 SSL).
关于如何解决这个问题的任何想法?
谢谢

I'm looking at implementing PKI authentication ( 2 way SSL requiring x.509 certificates) for OpenRasta service.
Any ideas on how to go about this?
Thanks

推荐答案

我假设您使用的是 HttpListener 托管.

I assume that you're using the HttpListener hosting.

要启用 SSL/客户端证书，这些设置由 httpcfg 设置.

To enable SSL / Client certifiacates, those settings are set by httpcfg.

您可以在 http://msdn.microsoft.com/上找到一些信息en-us/library/ms733791.aspx.更具体地说，您应该能够使用客户端证书启用 SSL

You can find some information at http://msdn.microsoft.com/en-us/library/ms733791.aspx. More specifically, you should be able to enable SSL with client certificates using

httpcfg set ssl -i 0.0.0.0:8012 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6 -f 3

在可以使用该工具的平台上.-u 是您的 IP/端口.您可能需要 -f 3 ，因为这会将客户端证书映射到 Windows 帐户，但是 -f 2 会在不关心设置身份验证的情况下进行传输安全.-h 是证书的指纹，它应该安装在目标服务器的证书存储中，你可以用常用的 Windows 管理工具找到.

On platforms where that tool can be used. The -u is your ip/port. You probably want -f 3 as this maps the client certificate to a windows account, but -f 2 would do the transport security without caring for setting authentication. -h is the thumprint of the certificate, which should be installed in the destination server's certificate store, you can find that with the usual windows admin tools.

还有一个工具可以让您控制 http.sys，位于 http://httpsysconfig.codeplex.com/

There's also a tool that lets you control http.sys at http://httpsysconfig.codeplex.com/

这篇关于OpenRasta 的 PKI 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！