[ale] Is anyone actually using: Client side certificates for Auth ?
Mike Harrison
meuon at geeklabs.com
Tue Mar 3 14:39:46 EST 2009
I'm working on a paranoia driven side project.
I really want to limit access to a 'website'
to about 20 very carefully setup clients,
14 of which are Firefox on Linux, the other
6 will be MSIE or Firefox on WinXP.
Apache is SSL only, and has private certs
(TinyCA rocks for a private cert authority)
the site uses digest auth and forces SSL,
which I am happy with. I even have
IP address access control per login,
example: CSR3 can only login from 192.168.33.78
I'd like to add client side certificates required.
No problem on the apache side.
I'm currently looking at various methods for generating
and issuing a certificate for the client web browser.
While this is currently a 'one off', I hope to have to
do this more.
It seems that the best way is to generate them,
both keys and cert request, for each browser
on the server (or at least a Linux machine)
with openssl. On Firefox it's a pretty straightforward
import process... I'll figure out the MSIE way soon.
But I would think there would be a simple menu option
for "generate CSR" for the browser.. and a simple
"import" function - if this was actually being used
in the real world. I see add-ons for Firefox for this..
The real question is:
----------------------
Is anyone actually using this (client certs) in production
or is the technical management overhead just too heavy?
More information about the Ale
mailing list