: Certificate for website login Not sure if this belongs here or at serverfault... I've seen websites where, to login to the website, requires a digital certificate to be installed for the user

Not sure if this belongs here or at serverfault...

I've seen websites where, to login to the website, requires a digital certificate to be installed for the user logging in. As far as I can tell, this certificate is in addition to the website using an SSL certificate (https)

I'm just looking to be pointed in the right direction on how to code for this (apache / php hopefully), who issues these certificates (must it be a trusted var or can I ?) or even what to search for via google.

-Mario

10.02% popularity Vote Up Vote Down

: Using Google Webmaster & Analytics, what data to look at to improve website performance? Using data from Google Analytics and Webmaster tools, what data should I be looking at to improve my

@Sent6035632

Posted in: #GoogleAnalytics #GoogleSearchConsole #Seo

3 Comments

: Deny access to a folder on hosting server but serve the pages My hosting server allows to host multiple websites. The directory structure is like this root |_ www.a.com |_ www.b.com |_ www.c.com

@Sent6035632

Posted in: #Security #Webserver

2 Comments

: Suspicious crawler activity I'm noticing that I get accesses 66.249.66.198 - - [01/Jul/2011:17:13:46 +0200] "GET /img/clip.incubus.torrent.phtml HTTP/1.1" 404 143 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;

@Sent6035632

Posted in: #Googlebot #Security

2 Comments

: Ideas for newsletter content for a graphic/web company? We've just launched our new website and we're looking to include a newsletter that will be sent out once a quarter. We're struggling a

@Sent6035632

Posted in: #Marketing #Newsletter

2 Comments

Login to post a comment!

2 Comments

Sorted by latest first Latest Oldest Best

@Jessie594

Consider two-factor authentication instead

I'd recommend a two-factor authentication (2FA) system such as those from DuoSecurity, RSA, AlterEgo, Wikid Systems, and Signify instead of a client-side SSL certificate, because it requires little-to-no technical set up or education for your site's visitors (and it's more secure than relying on an SSL client certificate alone).

Instead of having to download and install a certificate, visitors can authenticate themselves by receiving a phone call or text message, by visiting a web page, or opening an app.

Client-side SSL certificates

If you've seen what the above companies have to offer and still wish to use client-side SSL certificates, CAcert.org offers this example of how they use mod-ssl under Apache with PHP to authenticate visitors based on client-side certificates:

Apache config

<VirtualHost 127.0.0.1:443>
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /etc/ssl/cacert.crt
SSLCertificateFile /etc/ssl/certs/cacert.crt
SSLCertificateKeyFile /etc/ssl/private/cacert.pem
SSLOptions +StdEnvVars

ServerName secure.cacert.org
DocumentRoot /www
</VirtualHost>

PHP

if($_SERVER['HTTP_HOST'] == "secure.cacert.org") {
$query = "select * from `users` where `email`='$_SERVER[SSL_CLIENT_S_DN_Email]'";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0) {
$_SESSION['profile']['loggedin'] = 1;
header("location: secure.cacert.org/account.php );
exit;
}
}

10% popularity Vote Up Vote Down

@Sue5673885

You want an SSL client certificate. The server certificate proves who they are, the client certificate proves who you are to them.

Here's some apache documentation on how to configure your site: httpd.apache.org/docs/2.0/ssl/ssl_howto.html#certauthenticate
This blog post is interesting: www.gnegg.ch/2008/05/why-is-nobody-using-ssl-client-certificates/

10% popularity Vote Up Vote Down

Feed

: Certificate for website login Not sure if this belongs here or at serverfault... I've seen websites where, to login to the website, requires a digital certificate to be installed for the user

More posts by @Sent6035632

: Using Google Webmaster & Analytics, what data to look at to improve website performance? Using data from Google Analytics and Webmaster tools, what data should I be looking at to improve my

: Deny access to a folder on hosting server but serve the pages My hosting server allows to host multiple websites. The directory structure is like this root |_ www.a.com |_ www.b.com |_ www.c.com

: Suspicious crawler activity I'm noticing that I get accesses 66.249.66.198 - - [01/Jul/2011:17:13:46 +0200] "GET /img/clip.incubus.torrent.phtml HTTP/1.1" 404 143 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;

: Ideas for newsletter content for a graphic/web company? We've just launched our new website and we're looking to include a newsletter that will be sent out once a quarter. We're struggling a

Login to post a comment!

2 Comments

Back to top | Use Dark Theme