问题
We have a proprietary framework and now we want to integrate the authentication by client side ssl certificates. What are the best practices to map a client certificate to a proprietary user account (for example a simple user table in the database)?
- Save to public key of the certificate?
- Save issuer and serialnumber?
Or are there other possibilities?
回答1:
Are you issuing the certificates (and have a possibility to set some fields of the certificate)? Does these certificates have to be integrated with a larger scale PKI environment like email-signing (I mean have you the X.509 interoperability nightmare)?
If you can create a certificate authority for the users, and have not to care about foreign systems, you can give each client certificate a common name attribute which maps directly to your user account. So you can check if the client certificate is signed by the user certificate authority and then match the certificate CN attribute.
When there is only a limited and well known number of signing certificates then I recommend to store this certificates and check the client certificates and accept them only if they are signed by one of the signing certificates. Then you use a field of the certificate which the issuing CA sets uniquely for each user (which stays equal when the user certificate gets renewed, many cooperations let user certificates time out after about one year) to connect this field with your user database.
If you can't issue the certificates you can store the hash of the certificate in the database, but this has the drawback that when a certificate runs out of date you need to update the database. The hash is unique to each certificate, while the most fields of a certificate can be spoofed.
You may also want to check the certificate revocation lists for the signing certificate authorities, so no user can access your service with a stolen certificate.
回答2:
We store the client certificate's serial and issuer DN and match it. According to http://www.tectia.com/manuals/server-admin/60/userauth-cert.html, this is enough to uniquely identify the certificate.
来源:https://stackoverflow.com/questions/2613649/what-are-the-best-practices-to-map-a-client-certificate-to-an-user-account