IIS尝试与客户端协商互相信任的连接,因为客户端证书是自签名的,因此拒绝信任它。
IIS tries to "negotiate" a mutually trusted connection with the client and because the client certificate is self-signed it refuses to trust it.
您的选项:
- 使用知名认证机构颁发的证书。
- 运行您自己的CA基础架构,将其根CA证书添加到服务机器的受信任的根证书存储区中
- 将自签名证书添加到服务计算机的受信任根目录中。 这可能会导致微妙而严重的安全风险。我个人反对此选项,因为它感觉真的不安全。
- 切换到不使用客户端证书的其他身份验证方案。
- Use a certificate issued by a well known certificate authority. This would work but you'll have to reissue the certificate every year or so.
- Run your own CA infrastructure, add its root CA certificate into "trusted root" certificate store of the service machines and issue certificate signed with that root (likely via intermediate certificates).
- Add the self-signed certificate into "trusted root" of the service machines. This may induce subtle yet serious security risks. I personally am against this option because it feels really unsafe.
- Switch to some other authentication scheme which doesn't use client certificates.