双向SSL澄清 [英] Two-way SSL clarification

问题描述

我对双向 SSL 的工作原理有些困惑.客户端如何创建其证书以发送到服务器?是从服务器生成并分发给客户端吗?

I am somewhat confused as to how two-way SSL works. How does the client create its certificate to send to the server? Is it generated from the server and distributed to the client?

另外，双向 SSL 与单向 SSL 相比有什么优势?

Also, what is the advantage of two-way SSL over one-way SSL?

推荐答案

两个证书都应该在连接之前存在.它们通常由证书颁发机构创建(不一定相同).(在其他情况下，可以采用不同的方式进行验证，但需要进行一些验证将.)

Both certificates should exist prior to the connection. They're usually created by Certification Authorities (not necessarily the same). (There are alternative cases where verification can be done differently, but some verification will need to be made.)

服务器证书应由客户端信任的 CA 创建(并遵循 RFC6125).

The server certificate should be created by a CA that the client trusts (and following the naming conventions defined in RFC 6125).

客户端证书应由服务器信任的 CA 创建.

The client certificate should be created by a CA that the server trusts.

由每一方选择自己信任什么.

It's up to each party to choose what it trusts.

有在线 CA 工具可让您在浏览器中申请证书，并在 CA 颁发证书后将其安装在那里.它们不需要在请求客户端证书身份验证的服务器上.

There are online CA tools that will allow you to apply for a certificate within your browser and get it installed there once the CA has issued it. They need not be on the server that requests client-certificate authentication.

证书分发和信任管理是公钥基础设施 (PKI) 的角色，通过 CA 实施.SSL/TLS 客户端和服务器，然后仅仅是该 PKI 的用户.

The certificate distribution and trust management is the role of the Public Key Infrastructure (PKI), implemented via the CAs. The SSL/TLS client and servers and then merely users of that PKI.

当客户端连接到请求客户端证书身份验证的服务器时，服务器会发送它愿意接受的 CA 列表作为客户端证书请求的一部分.然后，客户端可以发送其客户端证书(如果它愿意，并且有合适的证书可用).

When the client connects to a server that requests client-certificate authentication, the server sends a list of CAs it's willing to accept as part of the client-certificate request. The client is then able to send its client certificate, if it wishes to and a suitable one is available.

客户端证书认证的主要优点是:

The main advantages of client-certificate authentication are:

• 私人信息(私钥)永远不会发送到服务器.客户端在身份验证期间根本不会泄露其秘密.
• 如果服务器信任颁发证书的 CA(并且证书有效)，那么它仍然可以对该用户进行身份验证.这与护照的使用方式非常相似:您可能从未见过向您出示护照的人，但由于您信任签发机构，因此您可以将身份与此人联系起来.

您可能对用于客户端身份验证的客户端证书的优势?感兴趣?(关于 Security.SE).

You may be interested in Advantages of client certificates for client authentication? (on Security.SE).

这篇关于双向SSL澄清的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！