1

I am trying to understand how does client authentication work in https scenario and how to use it to provide a basic authentication/authorization capability.

Let's say I want to have a mapping between a certificate and a user (eg. IPrincipal). My server issues certs and distributes them to the clients. When client connects I ask for certificate and if a valid certificate has been provided I authenticate the user based on the mapping defined earlier.

What should I use to create the mapping? Is cert thumbprint a good candidate? Is it enough to determine client identity?

Or maybe I don't need the mapping at all and can simply accept all certs issued by my server ?

Edit: Let me rephrase it - assuming that I can issue client certificates, how do I verify clients identity during https session?

Improve this question

3 Answers 3

Reset to default
1

A lot of what your asking depends greatly on what your existing cert infrastructure looks like. For security reasons I would highly suggest identifying the specific user via a mapping. If you've gone as far as to distribute certs for user auth, theres probably something worth securing. Any authorization or auditing you need should be per user. The best way is to use the cert CN (common name). The thumbprint will identify as specific cert, but what happens when the cert expires? This of course means when you issue certs the CN is controlled, and will relate to a specific person. I've found using email address to be very reliable, because you can create a validation routine by sending them confirmation emails. You can also enforce some uniqueness with the email address.

The hard part is distributing certs and getting IIS to ask the client for certs so your asp.net app can gain access to its information. Once you have that all your requests will have something in Request.ClientCertificate which has all the details of their cert you'd need to authenticate them.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I'm assuming you are using .Net framework. You may try to use HttpRequest.ClientCertificate property. Certificate validation is already done with ASP.NET you just need check IsValid property. Rest of validation is map certificates to users.

If all certificates are issued by same CA you can use the certificate serial number. If not include the HttpClientCertificate.Issuer property with serial number.

Thumbprint is hard to use later if you need some debugging.

Improve this answer

Comments

0

You questions contains 2 different parts:

1) How do I verify that client certificate was issued by me and in good standing?

Very general answer is that you validate it's chain against trusted root certificate. As example you can read it here:

http://msdn.microsoft.com/en-us/library/windows/desktop/dd407310(v=vs.85).aspx http://www.openssl.org/docs/apps/verify.html http://www.cryptosys.net/pki/x509_validatechain.html

In most cases you don't have to write any code to do this. All you need is to install (as example) Apache before your web server. Apache can be configured to request and validate client certificate against trusted certificate(s).

2) How do I map a certificate to a user?

If you are looking for a common way how it's done then you should use Subject Alternative Name property in certificate to store principal name. This is the most common way which is used by multiple providers.

Here are couple of Windows related interesting links:

http://technet.microsoft.com/en-us/library/cc736706(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc736781(WS.10).aspx

However, generally speaking, you can use any unique thing in certificate for mapping.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.