Certificate request by PIN?

Question

I am looking for certificate management based on PIN. The system I would like to have is this: I give my client a PIN (e.g., on a piece of label note) and he can use it as proof-of-identity to send request and acquire a certificate (preferably through HTTPS?). Where can I find more detailed information regarding this technique? So far, I've checked the RFC of CMS but there is no mentioning that you can use a PIN as proof-of-identity (only if the client has some type of certificate).

Thank you very much for the hint!

Answer 1

Instead of a PIN on a label, why not give your client a private key and certificate that you generate? You can put them on a USB drive, or even a special USB token device where the private key cannot be extracted. The client could then use that to connect to your service via 2-way SSL.

Answer 2

The system (PKI) just doesn't work like this. You would have to launch your own certificate management system -- purchase a sub-CA certificate from existing CA, then start issuing your certificates. Next, your scheme with giving a PIN to the user is insecure and the CA won't sell you the sub-CA certificate after reviewing it.

In general your task requires solid understanding of how PKI works and of security backgrounds. So the question is too broad for StackOverflow.