The combination of officially issued SSL certificate and self signed certificate realizes website two-way authentication

This is a very interesting experiment .

You already know , some SSL A certificate issued by a certification authority , Just installed on the server side , Let visitors through SSL Link to the website , And it can confirm the real address of the website to visitors . however , If you want to restrict visitors to the website , You need to verify the certificate owned by the client , Only in this way can a secure link be established . And the agency is issuing SSL When it comes to certificates , There is no matching client certificate , Therefore, it cannot be installed on the client , You can't start the authentication of the client .

AD CS The certificate service of can issue certificates on the server side SSL certificate , You can also issue client certificates （ See above ）, however AD CS Issued by the server SSL A certificate can only be bound to one domain name , namely WWW.abc.com perhaps abc.com. Bind one of the domain names , When accessing with another domain name , There is a problem with the certificate , It is not authorized to this domain name , A little upset .

Today's fantasy , Can you send the certificate issued by a third-party certification authority SSL Certificate and AD CS Issued certificates are used together , Realize two-way authentication ？ Start the test .

On the server side, first arrange the SSL certificate . Import the certificate under the server certificate individual . Then import the certificate into the client computer certificate management “ Trusted certificate ”. adopt IIS Set up , Website needs SSL link , And choose not to need client certificate . In this setting , The client with http Prompt of access meeting 403 error , use https During the interview , Will establish a secure link , Click on “ lock ” After the figure , The details of the certificate will be displayed . explain SSl Certificate configuration succeeded .

Next, on the server side IIS To reset , need SSL link , At the same time, the client certificate is required . Now use https During the interview , Because there is no certificate , You can't visit . Prompt that you need to use a security certificate to access .

Now? , Access the certificate application page on the server , It's usually localhost/certsrv, Apply for client certificate , After successful application , Go to the server browser , Then export from the server browser , Copy to the desktop of the client computer .

The next step is to ： On the client side , Import the client certificate into the individual of the certificate . Sometimes you need to import it into the browser manually ; On the server side , Import the client certificate into “ Trusted certificate ” In the middle .

OK！ Now on the client side , use https visit , The page appears to let the user select the certificate , After selecting a certificate , confirm , A two-way link is established , You can visit the website normally .

in addition , If the certificate selection page does not pop up , Maybe I visited before , Or have refused to choose a certificate , There may be no pop-up box for certificate access in the next visit , You can clear the browser cache and re-enter the address to access .

A trick ： If the client uses http visit , and IIS Be sure to use SSL visit , Usually there is one 403 page , Now? , It can be modified by 403 page , Let the website automatically jump to https visit , Appear more friendly . Relevant setting methods are available in Baidu .

The one hour experiment was successful ！ to one's heart's content , Have a cup of tea . Then write the homework assigned by the teacher .