验证与SSL证书的Web浏览器 [英] Authenticate Web Browser with SSL certificate
问题描述
是否有可能使用SSL证书来验证Web浏览器。
Is it possible to authenticate a web browser using an ssl certificate.
说我存储私钥在我的应用程序,有没有办法读取从浏览器的关键,并尝试进行身份验证的基础上呢?
Say i store a private key in my application, is there any way to read a key from a browser and try to authenticate based on that?
推荐答案
您可以使用SSL / TLS客户端证书身份验证身份验证的浏览器/用户。
You can authenticate a browser/user using SSL/TLS client-certificate authentication.
客户端证书必须由服务器请求的,所以你需要访问服务器配置(不只是安装一些PHP code共享服务器上)。这是在SSL / TLS的层进行(事实上,该机制不是特定于HTTPS):服务器的SSL / TLS握手(有时通过重新协商握手)过程中请求客户证书。在Apache中的httpd,这通常通过 SSLVerifyClient <完成/ code> (尽管你需要太指定其他选项)。
The client certificate must be requested by the server, so you'd need access to the server configuration (not just installing some PHP code on a shared server). This is done at the SSL/TLS layer (in fact, the mechanism is not specific to HTTPS): the server requests the client-certificate during the SSL/TLS handshake (sometimes via a renegotiated handshake). In Apache Httpd, this is typically done via SSLVerifyClient (although you'll need to specify other options too).
服务器将然后验证针对您所用(可能是你自己的,并可能独立使用的服务器证书本身的CA)配置它的CA证书。 (另外,你可以在某些情况下,服务器级别禁用证书验证,并有PHP应用程序做到这一点,但是这是一个比较先进的,你需要知道你在做什么。)
The server will then verify the certificate against the CAs you've configured it with (possibly your own, and possibly independent of the CAs used for the server certificate itself). (Alternatively, you could disable certificate verification at the server level in some cases, and have the PHP application do it, but this is a bit more advanced and you'd need to know what you're doing.)
您可以从您的应用程序访问客户端证书,并获得其主题DN(或替代名称),标识客户端。
You can access the client certificate from your application and obtains its Subject DN (or alternative names), to identify the client.
目前还不清楚是否标识的浏览器的或的用户的后是。在结束时,一切顺利通过浏览器无论如何,但客户端证书往往要被分配给用户。用户必须安装该证书在其浏览器。
It's not clear whether you're after identifying a browser or a user. In the end, everything goes through the browser anyway, but client certificates tend to be allocated to users. Users would have to install that certificate into their browser.
编辑:有关详细信息,这将有助于如果你能澄清你的问题,你打算用这个做什么
For further details, it would help if you could clarify your question and what you intend to do with this.
是否有可能使用SSL证书来验证Web浏览器。
Is it possible to authenticate a web browser using an ssl certificate.
说我存储私钥在我的应用程序,有没有办法读
从浏览器的关键,并尝试基于认证?
Say i store a private key in my application, is there any way to read a key from a browser and try to authenticate based on that?
首先,严格地说,有没有这样的事,作为一个SSL证书,因为多种类型的证书可以用于SSL / TLS,有的这些相同的证书也可用于其它目的,而不是SSL / TLS的。通常情况下,SSL证书是指在SSL / TLS的背景下X.509证书。
Firstly, strictly speaking, there's no such thing as an "SSL certificate", since multiple types of certificates can be used for SSL/TLS, and some of these same certificates can also be used for other purposes than SSL/TLS. Typically, "SSL certificate" means "X.509 certificate in the context of SSL/TLS".
因此,认证使用SSL证书的Web浏览器意味着在SSL / TLS层这样做。 (已经有在HTTP层使用X.509证书来实现消息级安全性的尝试,但他们没有得到广泛浏览器支持。)
Therefore, authenticating a web browser using an SSL certificate implies doing it at the SSL/TLS layer. (There have been attempts to implement message-level security using X.509 certificates at the HTTP layer, but they're not widely supported by browsers.)
其次,私钥由您验证远程方举行。即验证对方的地方党没有看到任何私钥。如果你(作为服务器)要进行身份验证的Web浏览器,它是需要有私钥,而不是你(presumably PHP)应用程序的浏览器。在这种情况下,它不是很清楚为什么你(PHP?)应用程序将有/需要一个私钥,如果它要验证浏览器。
Secondly, the private key is held by the remote party that you authenticate. The local party that authenticates the remote party doesn't see any private key. If you (as a server) want to authenticate a web browser, it's the browser that needs to have the private key, not your (presumably PHP) application. In this context, it's not quite clear why your (PHP?) application would have/need a private key if it's the browser that you want to authenticate.
的验证应用程序可能需要什么(如果它不是由服务器本身完成)是CA证书,以便能够验证客户端证书是与(或至少某种形式的信任锚,用以psented $ P $验证客户端证书)。这里有不需要的私钥,只是公共密钥和证书,除非你想你的应用程序是一个CA了。
What your verifying application may need (if it's not done by the server itself) is a CA certificate to be able to verify the client certificate it is presented with (or at least some form of trust anchors with which to verify the client certificate). There's no private key required here, just public keys and certificates, unless you want your application to be a CA too.
事实上,你可以有你的应用程序是一个小型CA.它可以使浏览器生成一个密钥对,并发送证书请求到服务器(有机制,有一个网页使浏览器做这一切)。然后服务器会生成证书,并在浏览器导入它背靠其私钥。随后,浏览器可以使用该证书进行身份验证与服务器(或其他服务器会识别这些证书)。
Indeed, you could have your application be a mini CA. It could make the browser generate a key-pair and send a certificate request to the server (there are mechanisms to have a web page make the browser do all that). Then the server would generate the certificate and make the browser import it back against its private key. Subsequently, the browser could use this certificate for authentication with that server (or other servers that would recognise these certificates).
这篇关于验证与SSL证书的Web浏览器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
