Most websites employ a simple authentication mechanism generally consisting of a username and a password. While this method is certainly acceptable and secure for most applications, I want to take a minute to explore a more complex and, if employed correctly, more secure method of authenticating a user to a website.

This method employs the public key infrastructure (PKI) via client based SSL PKCS12 certificates.

First you need to make sure your server is conigured to use SSL properly. Setting up SSL in Apache is beyond the scope of this post, but here is a great HOWTO on it. You’ll also need to make sure you configure Apache to export the SSL variables it gathers to PHP.

Here is the Apache config setting to allow the SSL environment variables to be correctly exported to PHP (via the $_SERVER variable).

SSLVerifyClient optional_no_ca
SSLVerifyDepth  10

SSLOptions +ExportCertData +StdEnvVars

Next you’ll want to grab a copy of our handy php-cert-auth class from here. The configuration is pretty straightforward, feel free to include config parameters in the class directly if you don’t want to worry about maintaining a seperate configuration file.

Here are a few examples of what our class will allow you to do.

To download a self-signed certificate:

header("Content-Type: application/x-pkcs12");
header('Content-Disposition: attachment; filename=client.p12');

$countryName = "US";
$stateOrProvinceName = "Georgia";
$localityName = "Roswell";
$organizationName = "Werx Limited";
$organizationalUnitName = "Labs";
$commonName = "Wes Widner";
$emailAddress = "[email protected]";

$cert = new WerxLtd_Auth_Cert();
$pks12 = $cert->getPKCS12SelfSigned(

echo $pkcs12;

 * You can also parse the pkcs12 data back out via: openssl_pkcs12_read($pks12, $data, null);

Here is how you could go about authenticating a user:

$cert = new WerxLtd_Auth_Cert();
if($cert->hasClientCert()) {
	$keyid = $cert->getSubjectKeyIdentifier();
	// You can then use this key to query a list of known keys associated with valid users

This package is not designed to work in a stand-alone fashion. It is designed to be a helpful passwordless enhancement to an existing authentication system. Since the subjectKeyIdentifier is unique for each certificate that is issued1, it is wholly possible to associate it with a user’s account and check the supplied user certificate against a list of known client certificates in order to authorize the user in a transparent fashion.

There are many other ways a client certificate can be used to make your application even more secure. Like encrypting information before it is saved to permanent storage. You can also use the information contained in the client certificate to automatically fill in form fields. The biggest pitfall I can see to employing client certificates is the added complexity of the application.

Further reading:

No related content found.

  1. []