Sunday, April 26, 2015

SSL Client Authentication



I currently have server SSL in place so that clients have a secure connection to my web server.



I am looking to implement client SSL certificates IN ADDITION TO regular username/password login, but I'm having a hard time understanding exactly what needs to happen.




  1. Should each user receive their own certificate?



    1. Should this be generated upon user account creation?

    2. Should a user receive a separate certificate for each device they use? (i.e. phone, tablet, pc)

    3. What should the fields in the certificates DN be?


  2. For each user certificate, should there be a corresponding private key, or a single key for all the certificates?

  3. How are these user certificates distributed? Is there an automated way to install them?


    1. Should they be stored on the server for download?




Answer



Should each user receive their own certificate?



Generally, yes.
You could use one certificate for everyone (and determine who the actual user is based on the username/password), but then if that certificate gets compromised you have to issue new certificates to everyone -- that's not convenient for you or your users.




  • Certificates should be generated per-user when their account is created.

  • Certificates can be either per-user or per-device
    This is an implementation choice. Do what makes sense for your environment:



    • If you're verifying that the device is authorized, a per-device certificate makes sense.

    • If you're verifying that a particular user (U/P) is who they say they are, per-user certs work.







Should there be one global private key, or a key for each certificate?




Definitely one key per certificate.



All of your user certificates should be a public/private pair, unique to a user (or device).
They should all be signed by one trusted authority (your company's CA certificate).






How are the user certificates distributed?



Any way you want (subject to the constraints of various platforms and software).
I suggest NOT posting them on a web page for anyone in the world to copy, but how you get certificates to devices is an implementation choice you get to make.




If you store the certificate pairs on a server you should be sure that server is secure -- you don't want someone getting their hands on all of your (valid) certificates.
Re-keying all your users will be an annoyance (and pretty hard to explain).






Definitely read the IT Security question dawud pointed you to which covers some of the mechanical aspects of generating the certificates (and equally important - the CRL).
IT Security also has other questions/answers about certificate authentication which would be a great resource for you in regard to the theory and principles you need to implement for this to actually be secure.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...