＜本文发表于: 相约加拿大:枫下论坛 www.rolia.net/f ＞
If you want to use the certificate on the Internet, you'll need to get one from one of the CA (verisign, thawte, equifax, etc.). If for internal use, you can setup your own CA and sign cert for both server and client.
In order for the server to be able to authenticate the client, the server must have the CA certificate that signs the client certificate installed as trusted CA. Usually the browser comes with surficiant(spelling?) CA certificate.
> 证？require的情况下，如何得到client certificate？
My understanding is, ignore will not require any client certificate; accept will ask for client certificate but it's not mandatory. Often, you can assign different privilages for users with and without certificate on the server side.
To make sure the secure channel has been established, see the corner of your IE brower, there shoud be a lock that is locked. If you are still worried, get a sniffer (NT/2k's network monitor will do) and sniff the wire and see if you can get some plain text.
See above for client certificate.＜本文发表于: 相约加拿大:枫下论坛 www.rolia.net/f ＞