0

I am working on a login page using spring security. The page need to provide an option for user to use their certificate instead of username and password. However I am stuck in following scenarios :

Say you have a certificate signed by XYZ company installed in your browser. Now server (trusted XYZ) wanted to validate the certificate... but questions are :

Q1. How can server 'request' browser to provide "the right certificate" (assuming you have more than one certificate installed in your browser)?

Q2. Is it possible to have a button on the login page for user to send his certificate only when he click on the button?

Q3. Say the server received your certificate, can the server say "yes, you have proof who you said you are" simply by looking into the certificate chain (signed by XYZ company)?

Thanks,

From a security newbie :)

Improve this question

1 Answer 1

Reset to default
2

This is possible. All you'd have to do would be to setup an ssl site with client certificates required. Browsers support this out of the box, most present an internal cert store, ie shows a user cert store from the os. You should consult your server framework docs on how to turn on the client cert requirement on the ssl connection.

As for q2, you could have two websites, your app and your auth provider. The app shows the button and this redirects to your auth provider which requires the client certificate. Then, the auth provider uses any sso protocol (oauth2, saml) to return the user identity to the application.

As for cert validation, you could either validate the chain or have a mapping between usernames and cert thumbprints at the server side.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks, it clear my doubts... but now it comes to implementation, I exported my certificate (signed by a trusted CA) and try to manually map my name and the root cert fingerprints with my server side trusted CA. Somehow I can't find identical fingerprints .. am I missing something here ? (btw, I am about the establish a ssl with the CA installed in my browser)
I've never tried to map user certs fingerprints manually. I've always relied on the CA built into the Windows Server where rser certificates are mapped to user accounts in the Active Directory. This (plus of course Windows integrated authentication) always worked as expected.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.