Menu
After login, I want a web-page to be able to provide both firefox and MSIE-8+ web-site clients the ability to download and install a unique SSL client certificate for the website so they need never login again from that machine.
The back-end is simple and done - I have a directory on my linux web-server where typing "make USER=$username ${username}.crt.pkcs12" will create a new client key and a valid, signed PKCS-12 SSL client certificate file .
But how to best provide a single method whereby both logged-in (with password) MSIE and firefox users can download these certificates and bring up the "install client certificate" browser GUI dialog ?
It is straightforward to simply push the certificate as a file of mime-type ? - say 'application/x-pkcs7-certreqresp' ?? so the user is prompted to save the file; but I want them to be prompted to add the certificate for this website to the SSL certificate manager's client cert store. Then I found this for firefox.
So this is fairly straightforward
but all I can find for MSIE is this.
So it is simple to invoke firefox'x security manager API from javascript, but I can find no way of doing so from MSIE's javascript - one would need to invoke .NET C# code to access the .NET APIs, and the X509Store APIs seem not to be exported to MSIE javascript .
As I see it, options are then to provide a mono .NET web service on my linux webserver and redirect requests from MSIE clients for the certificates to this service , which can then download .NET code that the client runs to install the certificate ?
Or I can make MSIE clients download a "Install_Cert.VB" visual basic script that will run "WinHttpCertCfg.exe" ?
Or is there some magic MSIE security manager javascript API that I'm just not finding ?
Sorry, I've been a windows refusnik since 1992; I use only Linux / Solaris / BSD / MacOS and do not have access to a windows machine.
Anyone been here before / have any advice to offer ? If so, it would be much appreciated ! Thanks in advance, Jason
888
No matter what language you speak, no matter what industry you work in, the answer is still the same: Yes, you can use one SSL certificate for multiple domains on the same server. And, depending on the vendor, you also can use one SSL certificate on multiple servers.
It's technically possible for a TLS certificate to be used as both a server certificate and a client certificate. The TLS certificate for this very site has its key usage set that way, for instance. But the server which requires a client certificate does so to authenticate the client.
As such, one of the common questions that many enterprises ask when they are considering investing or renewing their security certificates, is: “Can I use just one TLS/SSL Certificate to secure multiple domains?” The answer is, obviously, yes—you can buy one wildcard SSL certificate to secure unlimited subdomains.
Probably not an answer you'd expect to get, but the easiest you can do is create an ActiveX that will put the certificate to the right certificate store in IE. Since ActiveX is only handled by IE, you will have IE-specific solution and you will need to have just one version of ActiveX control. For Firefox (and Chrome and Opera) you would need to find other solutions.
88
Here's some documentation about ways to get client side SSL certificates installed.
As you might expect, every browser is different, mobile devices are missing features in many cases, and there are lots of ways to do the same thing. Looks like many people are banging their heads on this stuff.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
