The IoT_pki can also be used with a browser, to enable users to authenticate with your applications without passwords.
You have installed and configured the open source IoT_pki software on your server You have created a CA certificate on the IoT_pki server
Log in as the administrator, create and approve a certificate request for the user. Upon approval, the link for the certificate will be sent automatically to the user email as indicated on the certificate request.
Once the certificate request is approved, the user can download the certificate from:
The user should receive a link via email following the authorization process.
Settings>Advanced >Privacy and Security > YourCertificates > Import
Browse to the .pk12 file you just downloaded, and import it to chrome.
Go to https:pki.myserver.com/IoT_pki/test_client_cert/
You should see a welcome message to indicate that your certificate is authenticating correctly.
When your certificate is due for renewal, you can navegate to
This will enable you to download a new P12 certificate to install in your browser. If you have a valid certificate, then administrator authorization will not be required.
Client authentication with certificates requires that a secure ssl connection is made. If the PKI server is using self signed certificates, then you need to ensure that they are in your browser's “trusted authorities” list of certificates, so that a secure https connection is being made.
Firefox does not appear to be compatible with self signed client certificates at this time.
There are two ways to control access to apps via X509 certificates. The first is to use NGINX to allow or deny access to a URI according to whether a user is authenticated or not. This is suitable for allowing or denying access to certain parts of an application, but does not usually provide a proper authentication system.
The second is to pass the user certificate details to the underlying application, so that the application can apply access and authentication based on the user name.