tags:

views:

5631

answers:

6
+2  Q: 

How do I support SSL Client Certificate authentication?

I want to do what myopenid does -- once you've logged, you can click a button that generates you an SSL certificate; the browser then downloads this certificate and stores it. When you later go back to yourid.myopenid.com, your browser can use its stored certificate for authentication so you don't ever need a password.

So my questions is what is required to get this working? How do I generate certificates? How do I validate them once they're presented back to me?

My stack is Rails on Apache using Passenger, but I'm not too particular.

+4  A: 

These are usually referred to as client side certificates.

I've not actually used it but a modified version of restful-authentication can be found here here that looks like what your after.

I found this via Dr. Nic's post

russtbarnacle  2008-08-26 17:51:06
A: 

@russtbarnacle: great find! I had already read Dr. Nic's post, and even emailed him to see whether he might want to make such a thing. Nice to know it already exists!

James A. Rosen  2008-08-26 17:58:40
+1  A: 

Depends on the server, but the simplest solution I know of, using Apache:

FakeBasicAuth

"When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command: openssl x509 -noout -subject -in certificate.crt). Note that no password is obtained from the user... "

Not sure about rails, but the usual REMOTE_USER environment variable should be accessible in some way.

Mark Renouf  2008-08-26 18:01:41
A: 

@Gaius I'd be interested in your experiences with it if you get it up and running.

russtbarnacle  2008-08-26 19:31:36
+1  A: 
erickson  2008-08-28 20:39:27
You could just use the keygen element instead, http://www.whatwg.org/specs/web-apps/current-work/multipage/forms.html#the-keygen-element
hendry  2009-05-26 07:55:20
A: 

I've been working on a solution to this problem. I wanted to do the same thing and I know lots of other website owners want this feature, with or without a third party provider.

I created the necessary server setup and a firefox plugin to handle the certificate-based authentication. Go to mypassfree.com to grab the free firefox plugin. Email me (link on that page) for the server setup as I haven't packaged it yet with a nice installer.

Server setup is Apache2 + OpenSSL + Perl (but you could rewrite the perl scripts in any language)

Jonathan

apricoti  2009-01-09 19:58:10

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP