Posts Tagged ssl

Certificate Information Extractor

While working with SSL certificate based authentication I developed a handy tool to display the contents of certificates. Both PKCS12 .p12 certificates (commonly used for client authentication) as well as standard public .cer certificates.

Here is my utility to check certificate information.

And if you are looking for a couple of certificates to use to try this tool out, here is a PKCS12 self-signed certificate. Or, you could use my handy self-signed PKCS12 certificate generator and make your own.

Special thanks to John Veldboom for his ColorPal app which helped me make the more appealing to the eye.

Share/Save

Tags: , , ,

Secure client authentication with php-cert-auth

Most websites employ a simple authentication mechanism generally consisting of a username and a password. While this method is certainly acceptable and secure for most applications, I want to take a minute to explore a more complex and, if employed correctly, more secure method of authenticating a user to a website.

This method employs the public key infrastructure (PKI) via client based SSL PKCS12 certificates.

First you need to make sure your server is conigured to use SSL properly. Setting up SSL in Apache is beyond the scope of this post, but here is a great HOWTO on it. You’ll also need to make sure you configure Apache to export the SSL variables it gathers to PHP.

Here is the Apache config setting to allow the SSL environment variables to be correctly exported to PHP (via the $_SERVER variable).

SSLVerifyClient optional_no_ca
SSLVerifyDepth  10

SSLOptions +ExportCertData +StdEnvVars

Next you’ll want to grab a copy of our handy php-cert-auth class from here. The configuration is pretty straightforward, feel free to include config parameters in the class directly if you don’t want to worry about maintaining a seperate configuration file.

Here are a few examples of what our class will allow you to do.

To download a self-signed certificate:

header("Content-Type: application/x-pkcs12");
header('Content-Disposition: attachment; filename=client.p12');

$countryName = "US";
$stateOrProvinceName = "Georgia";
$localityName = "Roswell";
$organizationName = "Werx Limited";
$organizationalUnitName = "Labs";
$commonName = "Wes Widner";
$emailAddress = "[email protected]";

$cert = new WerxLtd_Auth_Cert();
$pks12 = $cert->getPKCS12SelfSigned(
	$countryName,
	$stateOrProvinceName,
	$localityName,
	$organizationName,
	$organizationalUnitName,
	$commonName,
	$emailAddress
);

echo $pkcs12;

/*
 * You can also parse the pkcs12 data back out via: openssl_pkcs12_read($pks12, $data, null);
 */

Here is how you could go about authenticating a user:

$cert = new WerxLtd_Auth_Cert();
if($cert->hasClientCert()) {
	$keyid = $cert->getSubjectKeyIdentifier();
	// You can then use this key to query a list of known keys associated with valid users
}

This package is not designed to work in a stand-alone fashion. It is designed to be a helpful passwordless enhancement to an existing authentication system. Since the subjectKeyIdentifier is unique for each certificate that is issued1, it is wholly possible to associate it with a user’s account and check the supplied user certificate against a list of known client certificates in order to authorize the user in a transparent fashion.

There are many other ways a client certificate can be used to make your application even more secure. Like encrypting information before it is saved to permanent storage. You can also use the information contained in the client certificate to automatically fill in form fields. The biggest pitfall I can see to employing client certificates is the added complexity of the application.

Further reading:

  1. http://www.ietf.org/rfc/rfc3280.txt []

Tags: , , , , , , ,