I want to do what myopenid does -- once you've logged, you can click a button that generates you an SSL certificate; the browser then downloads this certificate and stores it. When you later go back to, your browser can use its stored certificate for authentication so you don't ever need a password.

So my questions is what is required to get this working? How do I generate certificates? How do I validate them once they're presented back to me?

My stack is Rails on Apache using Passenger, but I'm not too particular.

+4  A: 

These are usually referred to as client side certificates.

I've not actually used it but a modified version of restful-authentication can be found here here that looks like what your after.

I found this via Dr. Nic's post


@russtbarnacle: great find! I had already read Dr. Nic's post, and even emailed him to see whether he might want to make such a thing. Nice to know it already exists!

James A. Rosen
+1  A: 

Depends on the server, but the simplest solution I know of, using Apache:


"When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command: openssl x509 -noout -subject -in certificate.crt). Note that no password is obtained from the user... "

Not sure about rails, but the usual REMOTE_USER environment variable should be accessible in some way.

Mark Renouf

@Gaius I'd be interested in your experiences with it if you get it up and running.

+1  A: 
You could just use the keygen element instead,

I've been working on a solution to this problem. I wanted to do the same thing and I know lots of other website owners want this feature, with or without a third party provider.

I created the necessary server setup and a firefox plugin to handle the certificate-based authentication. Go to to grab the free firefox plugin. Email me (link on that page) for the server setup as I haven't packaged it yet with a nice installer.

Server setup is Apache2 + OpenSSL + Perl (but you could rewrite the perl scripts in any language)