0

我有以下配置:带有 SSL、MySQL、PHP 5 的 Apache 2.2 我通过相互身份验证(p12 客户端证书)保护了一个页面。现在 - 只有在浏览器中安装了此证书时,您才能访问该页面。当您访问该页面时,系统只会提示您选择证书。但这对我来说还不够。有没有办法保护使用密码短语的证书,我的意思是 - 每次当 apache 与客户端配对连接时,不仅是为了证书,而且当你选择证书时,强制你使用密码短语进行证书解密。我希望你能理解我的问题,即使我的术语并不完全正确。

更新

我找到了这篇文章:http ://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-3但是我错过了哪一部分。这是我的证书配置:

# Folders structure:
#
# cert
#   |-- CA
#   |
#   |-- server
#   |  |-- certificates
#   |  |-- keys
#   |  |-- requests
#   |
#   |-- user
#      |-- certificates
#      |-- keys
#      |-- requests
#
# cd to cert folder
#

define server='ServerName';
define client='ClientName';
define -i days=3650;

# CA self-signed certificate:
dd if=/dev/random of=random bs=4096 count=1 # file with randomly generated 4096 bytes
openssl genrsa -rand random -out ./CA/CA.key 4096 # generate Key
openssl req -new -key ./CA/CA.key -out ./CA/CA.csr # generate Certificate Signing Request
openssl x509 -req -days $days -in ./CA/CA.csr -out ./CA/CA.crt -signkey ./CA/CA.key # self-sign the Certificate

# Server certificate:
dd if=/dev/random of=random bs=4096 count=1 # file with randomly generated 4096 bytes
openssl genrsa -rand random -des3 -out ./server/keys/$server.key 4096 # generate Key
openssl req -new -key ./server/keys/$server.key -out ./server/requests/$server.csr # generate Certificate Signing Request
openssl ca -days $days -in server/requests/$server.csr -cert ./CA/CA.crt -keyfile ./CA/CA.key -out ./server/certificates/$server.crt # generate and sign Certificate with CA

# Client certificate:
dd if=/dev/random of=random bs=4096 count=1 # file with randomly generated 4096 bytes
openssl genrsa -rand random -des3 -out ./user/keys/$client.key 4096 # generate Key
openssl req -new -key ./user/keys/$client.key -out ./user/requests/$client.csr # generate Certificate Signing Request
openssl ca -in ./user/requests/$client.csr -cert ./CA/CA.crt -keyfile ./CA/CA.key -out ./user/certificates/$client.crt # generate and sign Certificate with CA
openssl pkcs12 -export -clcerts -in ./user/certificates/$client.crt -inkey ./user/keys/$client.key -out ./user/certificates/$client.p12 # generate P12 certificate

或者我需要为此设置 Apache?

4

1 回答 1

0

好的,我想我找到了 - 要求密码不是证书的任务,而是(在当前情况下)浏览器的任务。在 IE 中,您可以在导入证书时选中“启用强私钥保护”复选框。在 Firefox 中 - 使用主密码。我没有玩过其他浏览器。

如果您有更多建议或知识,我将很高兴阅读它们!

于 2014-01-24T19:49:27.470 回答