问题描述

ServerA 和 ServerB 是 Web 服务器.ServerA 希望与 ServerB 通信.ServerA 可以在相互认证时使用其服务器证书作为客户端证书吗?

ServerA and ServerB are the web servers. ServerA wishes to communicate with ServerB. Can ServerA use its server certificate as a client certificate during mutual authentication ?

推荐答案

SSL 证书实际上是身份.客户端证书和服务器证书之间的区别在于客户端证书标识一个人(或代表他们的软件)，而服务器证书标识一个服务(或托管该服务的机器).从密码学上讲，您可以将任一方用作 SSL 连接的实际客户端身份，但另一方(该特定连接上的服务器)必须接受该证书；大多数人不会将服务器的专有名称放入可接受的身份.还有可能存在也可能不存在的扩展密钥使用约束；如果存在，他们可以强制执行服务器和客户端证书之间的分离(请不要为了忽略策略要求而进行黑客攻击！)但我不知道这是否真的适用于您的情况.那里的规则有点复杂.

SSL certificates are really identities. The difference between a client certificate and a server certificate is that a client certificate identifies a person (or the software acting on their behalf) and a server certificate identifies a service (or the machine hosting that service). Cryptographically, you can use either as the actual client side identity of an SSL connection, but the other side (the server on that particular connection) has to accept the certificate; most people don't put the Distinguished Name of servers into the database of acceptable identities. There's also the Extended Key Usage constraints that might or might not be present; if present, they could enforce the separation between server and client certificates (don't hack things to ignore policy requirements, please!) but I've no idea if that will actually apply to your situation. The rules there are a bit intricate.

简而言之:你可以做到，但这是个好主意吗?

In short: you can do it, but is it a good idea?

这篇关于使用服务器证书作为客户端证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！