如何使用第三方CA-NOT自签名CA生成客户端证书

I am trying to trying to export a client certificate for use with a web browser.

我试图导出客户端证书以用于Web浏览器。

The goal is to restrict access using the <Location> directive to the admin area. I have seen numerous tutorials on using self signed CAs. How would you do this using a third party?

目标是使用指令限制访问管理区域。我看过很多关于使用自签名CA的教程。你会如何使用第三方做到这一点?

1) Do I need to include the CA in the client pfx if it is a trusted root CA? I have seen both examples.

1)如果CA是受信任的根CA,是否需要在客户端pfx中包含CA?我看过两个例子。

Without CA:

openssl pkcs12 -export -inkey KEYFILENAME -in CERTFILEFILENAME -out XXX.pfx

With CA:

openssl pkcs12 -export  -in my.crt- inkey my.key -certfile my.bundle -out my.pfx

2) Do I need to still include SSLCACertificateFile for trusted CA in the httpd.conf setup?

2)我是否还需要在httpd.conf设置中为可信CA包含SSLCACertificateFile?

SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt
<Location /secure/area>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>

http://www.modssl.org/docs/2.8/ssl_howto.html#ToC8

1 个解决方案

#1

You can not issue client certificates with third party CA signed certificate. You have to have self signed CA for issuing of client certificates and specify this CA as SSLCACertificateFile

您无法使用第三方CA签名证书颁发客户端证书。您必须拥有自签名CA才能颁发客户端证书,并将此CA指定为SSLCACertificateFile

Sample:

    SSLCertificateFile /etc/apache2/ssl/apache.cer # site certificate signed by verisign
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key # site key for certificate signed by verisign
    SSLCACertificateFile /etc/apache2/ssl/apachelca2.pem # your self signed CA

note that apachelca2.pem has both key and certificate in it... command lines to issue client certificates:

请注意,apachelca2.pem中包含密钥和证书...命令行以颁发客户端证书:

openssl req -config /usr/share/apache2/ssleay.cnf -new -key client.key -out client.csr

openssl x509 -req -days 365 -CA /etc/apache2/ssl/apachelca2.pem -CAkey /etc/apache2/ssl/apachelca2.pem -CAcreateserial -in client.csr -extfile /usr/share/apache2/ssleay.cnf -extensions v3_req -out client.crt

#1