User Tools

Site Tools


pki:authenticating_access_to_web_app_using_client_certificates

Authenticating access to web app using client certificates

The IoT_pki can also be used with a browser, to enable users to authenticate with your applications without passwords.

Pre-requisites

You have installed and configured the open source IoT_pki software on your server You have created a CA certificate on the IoT_pki server

Create and Authorize Certificate Request from Administrators control panel

Log in as the administrator, create and approve a certificate request for the user. Upon approval, the link for the certificate will be sent automatically to the user email as indicated on the certificate request.

Collect your client certificate

Once the certificate request is approved, the user can download the certificate from:

https://pki.myserver.com/Iot_pki/collect_cert/PKCS12/<token>/

The user should receive a link via email following the authorization process.

Install the Client Certificate in client Browser

GoogleChrome

Settings>Advanced >Privacy and Security > YourCertificates > Import

Browse to the .pk12 file you just downloaded, and import it to chrome.

Test your certificate

Go to https:pki.myserver.com/IoT_pki/test_client_cert/

You should see a welcome message to indicate that your certificate is authenticating correctly.

Renew Your Certificate

When your certificate is due for renewal, you can navegate to

https://pki.myserver.com/IoT_pki/renew_cert/PKCS12/

This will enable you to download a new P12 certificate to install in your browser. If you have a valid certificate, then administrator authorization will not be required.

TroubleShooting

Client authentication with certificates requires that a secure ssl connection is made. If the PKI server is using self signed certificates, then you need to ensure that they are in your browser's “trusted authorities” list of certificates, so that a secure https connection is being made.

Firefox

Firefox does not appear to be compatible with self signed client certificates at this time.

Configuring Your Apps to Authenticate without passwords using X509 Certificates

There are two ways to control access to apps via X509 certificates. The first is to use NGINX to allow or deny access to a URI according to whether a user is authenticated or not. This is suitable for allowing or denying access to certain parts of an application, but does not usually provide a proper authentication system.

The second is to pass the user certificate details to the underlying application, so that the application can apply access and authentication based on the user name.

pki/authenticating_access_to_web_app_using_client_certificates.txt · Last modified: 2017/07/20 13:54 by matt