Holy crap! You can use SSL client certificates to easily authenticate user logins!

What they hell am I talking about?

So, there’s this thing, SSL client certificates. They are pretty much exactly the same as SSL server certificates. They work like this:

  1. The web server has a key pair.
  2. The client generates a key pair.
  3. The client send the public key to the server.
  4. The server signs the public key with it’s private key and send a certificate back to the client.
  5. The client saves the certificate.

What’s that good for? Authentication! How’s it work? Basically:

  1. They client signs some random data with it’s public key.
  2. The client sends the signed data and the certificate to the server.
  3. The server verifies that the random data is signed with the public key in the certificate.
  4. The server verifies that it signed the certificate with it’s private key.

The end results is that the server knows that the client is in possession of the private key and that it trusts the client. (This is more or less the same process that determines if you get a broken lock or not when you connect to a server, the difference being that it’s the server’s certificate and the browser verifies it against certificate it trusts.)

While client certificates and their key pairs can be transferred between devices, it’s a pain to do, and basically impossible without access to the original device. That means they can’t be phished, sniffed, or otherwise stolen. They can be used alone for login or as a factor in multi-factor authentication. And they are supported by all of the major browsers, desktop and moble, even that one that is usually a problem.

And yet, no one uses them.

Why? The usual, everyone knows they are hard to setup, don’t have good browser support, are too hard to use.

Wrong, wrong, and wrong. In the next few post, I’ll walk through the process of creating certificates in an App, configuring Apache, and using them for authentication.

  1. Introduction (you’re reading it).
  2. CA Setup
  3. Apache Configuration
  4. Client Certificate Generation in Ruby
  5. Best practices