My understanding is...

dennis2 (Dennis)
<本文发表于: 相约加拿大:枫下论坛 >
> 如果选择require,客户端不能访问加密端口,要求提供client
> certificate,从哪里得到?如何与server匹配?

If you want to use the certificate on the Internet, you'll need to get one from one of the CA (verisign, thawte, equifax, etc.). If for internal use, you can setup your own CA and sign cert for both server and client.

In order for the server to be able to authenticate the client, the server must have the CA certificate that signs the client certificate installed as trusted CA. Usually the browser comes with surficiant(spelling?) CA certificate.

> 请问,ignore和accept有何分别?是真的建立加密通道了吗?如何验
> 证?require的情况下,如何得到client certificate?

My understanding is, ignore will not require any client certificate; accept will ask for client certificate but it's not mandatory. Often, you can assign different privilages for users with and without certificate on the server side.

To make sure the secure channel has been established, see the corner of your IE brower, there shoud be a lock that is locked. If you are still worried, get a sniffer (NT/2k's network monitor will do) and sniff the wire and see if you can get some plain text.

See above for client certificate.
<本文发表于: 相约加拿大:枫下论坛 >

2001-8-24 -04:00

回到话题: 要建立SSL,必须要购买CA证书吗?iis5里建立SSL后,客户端访问server时,提示要选择client authentication,可列表是空的,继续后,能够https服务器的加密端口,这时SSL通道真的建立了吗?

回到论坛: HOME枫下论坛枫下论坛主坛工作学习IT技术讨论