Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Generating client side certificates in browser and signing on server

Tags:

ssl

ssl-certificate

client-side

Is it possible to request generation of client keypair in browser and send the public key to the server CA to be signed transparently? Then installing the signed certificate in user's browser?

Scenario:

  1. User opens https://examle.com/ web page, server identity is verified
  2. User requests an account creation
  3. Keypair is generated in user's browser and not revealed to server/CA
  4. Pubkey is send to server for signing
  5. Server signes the key and generates certificate
  6. Certificate is sent to client and installed in browser along with private key

Next time client connects to server, his identity is verified based on client certificate.

It would be nice if server could force/hint the client to protect his private key using password encryption.

I've seen online banking using java applet for this task. Is it possible to do it using native browser capabilites? Apache/PHP or Node.js solution would be welcome.

like image 655
Ludeks Avatar asked Feb 08 '12 16:02

Ludeks

People also ask

How do I get a client certificate for my browser?

In Chrome, go to Settings. On the Settings page, below Default browser, click Show advanced settings. Under HTTPS/SSL, click Manage certificates. In the Certificates window, on the Personal tab, you should see your Client Certificate.

Can I use same certificate for server and client?

It's technically possible for a TLS certificate to be used as both a server certificate and a client certificate. The TLS certificate for this very site has its key usage set that way, for instance. But the server which requires a client certificate does so to authenticate the client.

Do browsers have client certificates?

Most browsers support client certificates for mutual TLS authentication.

1 Answers

Yes, it's possible. There are no cross-browser solutions, though.

  • For Internet Explorer, you will have to use some ActiveX controls using X509Enrollment.CX509EnrollmentWebClassFactory or CEnroll.CEnroll, depending on whether it's running on Windows XP or Vista/7. This will generate a PKCS#10 certificate request (which you may need to wrap between the traditional delimiters.
  • For the rest, you should be able to use the <keygen /> tag. It's a legacy Netscape tag, not officially HTML before, but it has made it into HTML 5 (although MS have said they wouldn't support it in their implementations). This will generate a SPKAC structure (similar to a CSR).
  • For Firefox (although it supports keygen), you can use the CRMF functions.

Here is an example script that should do most of the work for ActiveX or Keygen.

When the server sends a certificate in return (possibly later), the browser should import it into its store and associate it with the private key it had generated at the time of the request.

How the private key is protected will depend on the browser or underlying certificate store mechanism. In Firefox, there should be a master password on the security device, for example.

On the server side, you can implement your own CA using various tools. OpenSSL and BouncyCastle can handle PKCS#10 and SPKAC. Here is a BouncyCastle-based example (associated with the script above), and some code for CRMF.

If you want a ready-made solution, you may be interested in something like OpenCA.

like image 169
Bruno Avatar answered Sep 26 '22 23:09

Bruno
Sign in to Comment

Related questions

TLSv1.3 - is it available now in Java 8?
how to resolve jsoup error: unable to find valid certification path to requested target
While using pandas got error urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
Unable to send an email using SMTP (Getting javax.mail.MessagingException: Could not convert socket to TLS;)
Enable https in a rails app on a thin server
Mutual certificates authentication fails with error 403.16
Cannot connect to APNS: return code 20 (unable to get local issuer certificate)
Connecting a client to a TCP server using TLS 1.2
Reading PEM public key into iOS
Android DownloadManager and SSL (https)
How can i proxy to SSL backend without specifiyng cert files?
C# Visual Studio 2015: IWebProxy certificate validation
How to programmatically add certificates to a truststore and use that also for verifying server authentication
Configure HostnameVerifier with reactor netty for spring-webflux WebClient
How to call the default certificate check when overriding ServicePointManager.ServerCertificateValidationCallback in C#?
WebSocket connection to failed ERR_SSL_PROTOCOL_ERROR
AFNetworking problems with TLS Verification of a self signed server root CA
WebSocket connection fails on Chrome without SSL
How to cancel a persistent connection using NSURLConnection?
jsse handshake_failure on public https web site

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!