我有以下配置: 带有 SSL、MySQL、PHP 5 的 Apache 2.2 我通过相互身份验证(p12 客户端证书)保护了一页。现在 - 只有在您的浏览器中安装了此证书,您才能访问该页面。当您访问该页面时,系统只会提示您选择证书。但这对我来说还不够。有没有办法保护使用密码短语的证书,我的意思是 - 每次当 apache 与客户端配对连接时,不仅是为了证书,而且当您选择证书时,强制您使用密码短语进行证书解密。我希望你理解我的问题,即使我的术语并不完全正确。
更新
我找到这篇文章:http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-3但是我想念哪一部分。这是我的证书配置:
# Folders structure:
#
# cert
# |-- CA
# |
# |-- server
# | |-- certificates
# | |-- keys
# | |-- requests
# |
# |-- user
# |-- certificates
# |-- keys
# |-- requests
#
# cd to cert folder
#
define server='ServerName';
define client='ClientName';
define -i days=3650;
# CA self-signed certificate:
dd if=/dev/random of=random bs=4096 count=1 # file with randomly generated 4096 bytes
openssl genrsa -rand random -out ./CA/CA.key 4096 # generate Key
openssl req -new -key ./CA/CA.key -out ./CA/CA.csr # generate Certificate Signing Request
openssl x509 -req -days $days -in ./CA/CA.csr -out ./CA/CA.crt -signkey ./CA/CA.key # self-sign the Certificate
# Server certificate:
dd if=/dev/random of=random bs=4096 count=1 # file with randomly generated 4096 bytes
openssl genrsa -rand random -des3 -out ./server/keys/$server.key 4096 # generate Key
openssl req -new -key ./server/keys/$server.key -out ./server/requests/$server.csr # generate Certificate Signing Request
openssl ca -days $days -in server/requests/$server.csr -cert ./CA/CA.crt -keyfile ./CA/CA.key -out ./server/certificates/$server.crt # generate and sign Certificate with CA
# Client certificate:
dd if=/dev/random of=random bs=4096 count=1 # file with randomly generated 4096 bytes
openssl genrsa -rand random -des3 -out ./user/keys/$client.key 4096 # generate Key
openssl req -new -key ./user/keys/$client.key -out ./user/requests/$client.csr # generate Certificate Signing Request
openssl ca -in ./user/requests/$client.csr -cert ./CA/CA.crt -keyfile ./CA/CA.key -out ./user/certificates/$client.crt # generate and sign Certificate with CA
openssl pkcs12 -export -clcerts -in ./user/certificates/$client.crt -inkey ./user/keys/$client.key -out ./user/certificates/$client.p12 # generate P12 certificate
或者我需要为此设置 Apache?
最佳答案
好的,我想我找到了 - 要求密码不是证书的任务,而是(在当前情况下)浏览器的任务。在 IE 中,您可以在导入证书时选中“启用强私钥保护”复选框。在 Firefox 中 - 使用主密码。我没有玩过其他浏览器。
如果您有更多建议或知识,我将很乐意阅读!
关于php - 在使用相互/双向身份验证(使用 p12 证书)访问页面时提示每个 session 输入密码,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/21319590/