在SSL / TLS相互身份验证 [英] Mutual authentication in SSL/TLS

问题描述

我是新来的SSL认证，我有一个要求，通过SSL（我有过两个组件控制）信任边界来验证两种架构组件。我想我会需要与服务器和客户端有两个证书双向SSL验证。

I am new to SSL authentication and I have a requirement to authenticate two architectural components over a trust boundary with SSL (I have control over both components). I think I will need two way SSL authentication with both the server and client having certificates.

的证书可以是自签名？ （即由供应商签署，这将不会首先使用SSL废掉？或者我需要一个第三方验证服务，以确保证书的身份？）

Can the certificates be self-signed? (ie. signed by the vendor, and this won't nullify using SSL in the first place? Or do I need a third party verification service to ensure the identity of the certificate?)

如何在服务器和客户端的公钥和私钥方面握手工作？

How does the handshake work in terms of public and private keys for both server and client?

我将不得不在IIS服务器配置为使用cetificate和（使用WCF最有可能被配置？）与发送请求的客户端证书，但是否有任何其他的任务，我将不得不做，以使这项工作？

I will have to configure the server in IIS to use the cetificate, and send the client certificate with the request (most likely by configuration using WCF?), but are there any other tasks I will have to do to make this work?

推荐答案

2双向认证客户机和服务器证书会工作。您可以使用自签名证书为好。但是，你需要绕过客户端和服务器上的证书验证如果这两个证书是自签名的，因为它们不被信任的机构签署的。

2 way authentication with client and server certificates would work. You can use self signed certificates as well. But you would need to bypass the certificate validation on both client and server if both certificates are self signed as they are not signed by a trusted authority.

在安装方面证书应当按以下步骤进行：

In terms of installation of the certificates it should be done as below:

服务器端

1. 安装LOCALMACHINE ServerCert.pfx - >个人存储

1. ServerCert.pfx installed to LocalMachine --> Personal store

ClientCert.cer安装到本地计算机 - >受信任的人们存储

ClientCert.cer installed to Local Machine -- > Trusted People store

客户端

1. ClientCert.pfx安装到当前用户 - >个人护理店

1. ClientCert.pfx installed to Current User --> Personal Store

ServerCert.cer安装到本地计算机 - >可信储存

ServerCert.cer installed to Local Machine --> Trusted Store

您需要的文件ServerCert.cer运送到客户端和客户端都需要运送ClientCert.cer给你。

You would need to ship the ServerCert.cer file to the client and the client would need to ship ClientCert.cer to you.

现在，如果你正在使用自签名的证书和您的客户端访问您的服务的话，他需要绕过证书验证。在下面的C＃示例代码：

Now if you are using self signed certificates and your client is accessing your service then he would need to bypass the certificate validation. Sample code in C# below:

        System.Net.ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, error) =>
                                                                                 {
                                                                                     return true;
                                                                                 };

希望有所帮助。

Hope that helps.

注意：从查看其不宜在生产环境中使用自签名的证书

这篇关于在SSL / TLS相互身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！