在具有相互/双向认证的访问页面时提示每个会话的密码短语(使用p12证书)

时间:2014-01-23 21:22:16

标签: php apache ssl certificate passphrase

我有以下配置: Apache 2.2,SSL,MySQL,PHP 5 我通过相互身份验证(p12客户端证书)保护了一个页面。现在 - 只有在浏览器中安装了此证书后才能访问该页面。访问该页面时,系统仅提示您选择证书。但这对我来说还不够。有没有办法保护使用密码证书,我的意思是 - 每当apache与客户端的连接不仅与证书相关,而且当你选择证书时,强制你使用pasphrase进行证书解密。我希望你理解我的问题,即使我的术语不完全正确。

更新

我找到了这篇文章:http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-3但是我错过了哪一部分。这是我的证书配置:

# Folders structure:
#
# cert
#   |-- CA
#   |
#   |-- server
#   |  |-- certificates
#   |  |-- keys
#   |  |-- requests
#   |
#   |-- user
#      |-- certificates
#      |-- keys
#      |-- requests
#
# cd to cert folder
#

define server='ServerName';
define client='ClientName';
define -i days=3650;

# CA self-signed certificate:
dd if=/dev/random of=random bs=4096 count=1 # file with randomly generated 4096 bytes
openssl genrsa -rand random -out ./CA/CA.key 4096 # generate Key
openssl req -new -key ./CA/CA.key -out ./CA/CA.csr # generate Certificate Signing Request
openssl x509 -req -days $days -in ./CA/CA.csr -out ./CA/CA.crt -signkey ./CA/CA.key # self-sign the Certificate

# Server certificate:
dd if=/dev/random of=random bs=4096 count=1 # file with randomly generated 4096 bytes
openssl genrsa -rand random -des3 -out ./server/keys/$server.key 4096 # generate Key
openssl req -new -key ./server/keys/$server.key -out ./server/requests/$server.csr # generate Certificate Signing Request
openssl ca -days $days -in server/requests/$server.csr -cert ./CA/CA.crt -keyfile ./CA/CA.key -out ./server/certificates/$server.crt # generate and sign Certificate with CA

# Client certificate:
dd if=/dev/random of=random bs=4096 count=1 # file with randomly generated 4096 bytes
openssl genrsa -rand random -des3 -out ./user/keys/$client.key 4096 # generate Key
openssl req -new -key ./user/keys/$client.key -out ./user/requests/$client.csr # generate Certificate Signing Request
openssl ca -in ./user/requests/$client.csr -cert ./CA/CA.crt -keyfile ./CA/CA.key -out ./user/certificates/$client.crt # generate and sign Certificate with CA
openssl pkcs12 -export -clcerts -in ./user/certificates/$client.crt -inkey ./user/keys/$client.key -out ./user/certificates/$client.p12 # generate P12 certificate

或者我需要为此设置Apache?

1 个答案:

答案 0 :(得分:0)

好吧,我想我发现了 - 要求密码短语不是证书的任务,而是(在当前情况下)浏览器的任务。在IE中,您可以在导入证书时选中“启用强私钥保护”复选框。在Firefox中 - 使用主密码。我没有玩过其他浏览器。

如果您有更多建议或知识,我将很乐意阅读它们!

相关问题
最新问题