本文发表在 rolia.net 枫下论坛> 如果选择require，客户端不能访问加密端口，要求提供client
> certificate，从哪里得到？如何与server匹配？

If you want to use the certificate on the Internet, you'll need to get one from one of the CA (verisign, thawte, equifax, etc.). If for internal use, you can setup your own CA and sign cert for both server and client.

In order for the server to be able to authenticate the client, the server must have the CA certificate that signs the client certificate installed as trusted CA. Usually the browser comes with surficiant(spelling?) CA certificate.

> 请问，ignore和accept有何分别？是真的建立加密通道了吗？如何验
> 证？require的情况下，如何得到client certificate？

My understanding is, ignore will not require any client certificate; accept will ask for client certificate but it's not mandatory. Often, you can assign different privilages for users with and without certificate on the server side.

To make sure the secure channel has been established, see the corner of your IE brower, there shoud be a lock that is locked. If you are still worried, get a sniffer (NT/2k's network monitor will do) and sniff the wire and see if you can get some plain text.

See above for client certificate.更多精彩文章及讨论，请光临枫下论坛 rolia.net