I want to do what myopenid does -- once you've logged, you can click a button that generates you an SSL certificate; the browser then downloads this certificate and stores it. When you later go back to yourid.myopenid.com, your browser can use its stored certificate for authentication so you don't ever need a password.
So my questions is what is required to get this working? How do I generate certificates? How do I validate them once they're presented back to me?
My stack is Rails on Apache using Passenger, but I'm not too particular.
Create a client certificate request. After receiving the certificate, export it to a password-protected PKCS12 file and send the password and the file to the user. Make sure the file is securely sent.
Chrome: Verifying that Your Client Certificate Is InstalledIn Chrome, go to Settings. On the Settings page, below Default browser, click Show advanced settings. Under HTTPS/SSL, click Manage certificates. In the Certificates window, on the Personal tab, you should see your Client Certificate.
Secure Sockets Layer (SSL) is a PKI protocol to authenticate the user's identity and encrypt the communication between the client and the server. An SSL certificate ensures that nobody can intercept, read, or change the conversation between the client and the server.
You can generate a certificate in the client's browser using browser-specific code. See this question
You could also generate SSL client certs server-side using OpenSSL in Ruby (see this q). (This will work in any browser without browser-specific code, but your server will have generated the client's private key, which is not ideal for crypto purists.)
Whichever method you use to generate them, you will then need to configure your webserver to require the client certificates. See the Apache docs for an example.
These are usually referred to as client side certificates.
I've not actually used it but a modified version of restful-authentication can be found here here that looks like what your after.
I found this via Dr. Nic's post
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With