[ale] Is anyone actually using: Client side certificates for Auth ?

Mike Harrison meuon at geeklabs.com
Tue Mar 3 18:29:34 EST 2009


> The easy-rsa suite of scripts (found bundled with OpenVPN) makes
> managing keys a breeze.  It wouldn't be much work to put a web
> frontend on them, I would imagine.

It's < 10 lines of perl to loop through and create a batch,
with keys and

Then I imported the CSR's into TinyCA and signed them.
Then exported each from TinyCA, signed with keys for each
(another perl script) and exported as a PFX
and copied one to each client. Installed in Firefox. Tested. :)

Helpful links were:
http://security.ncsa.uiuc.edu/research/grid-howtos/usefulopenssl.php
http://web.asu.edu/community/installing-client-certificate-windows-machine


> To see a working site which uses them, take a look at cacert.org.

Kewl. I did not know of them..


Still.. not as easy as I thought it would be by now.
There are strange ways of doing this with JavaScript
with calls like: generateCRMFRequest()
but I only spent a few minutes on that rabbit hole.

I had done this once before around 1999-2000, I think it was harder then, 
but I don't remember the details.





More information about the Ale mailing list