[ale] Is anyone actually using: Client side certificates for Auth ?

Jim Kinney jim.kinney at gmail.com
Tue Mar 3 17:00:24 EST 2009


Sounds fun. The only time I've had to use client-side certs, I had to
generate them all on the server, signed by server and distribute them
to clients. I had some script tools to simplify the process but it's
still a chore.

A browser plugin to generate a CSR would be a terrific thing iff it
can generate the request, verify the signature of the server the
request is sent to and then put the signed cert in the appropriate
storage container.

Since my one run with client-side certs, I have used ssh tunnels with
keys and non-standard web ports (8080, etc) as it is easier to setup
IMO than ssl certs.

On Tue, Mar 3, 2009 at 2:39 PM, Mike Harrison <meuon at geeklabs.com> wrote:
>
>   I'm working on a paranoia driven side project.
>   I really want to limit access to a 'website'
>   to about 20 very carefully setup clients,
>   14 of which are Firefox on Linux, the other
>   6 will be MSIE or Firefox on WinXP.
>
>   Apache is SSL only, and has private certs
>   (TinyCA rocks for a private cert authority)
>   the site uses digest auth and forces SSL,
>   which I am happy with. I even have
>   IP address access control per login,
>   example: CSR3 can only login from 192.168.33.78
>
>   I'd like to add client side certificates required.
>   No problem on the apache side.
>
>   I'm currently looking at various methods for generating
>   and issuing a certificate for the client web browser.
>   While this is currently a 'one off', I hope to have to
>   do this more.
>
>   It seems that the best way is to generate them,
>   both keys and cert request, for each browser
>   on the server (or at least a Linux machine)
>   with openssl. On Firefox it's a pretty straightforward
>   import process... I'll figure out the MSIE way soon.
>
>   But I would think there would be a simple menu option
>   for "generate CSR" for the browser.. and a simple
>   "import" function - if this was actually being used
>   in the real world. I see add-ons for Firefox for this..
>
> The real question is:
> ----------------------
>   Is anyone actually using this (client certs) in production
>   or is the technical management overhead just too heavy?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>



-- 
-- 
James P. Kinney III



More information about the Ale mailing list