Instead of a PIN on a label, why not give your client a private key and certificate that you generate? You can put them on a USB drive, or even a special USB token device where the private key cannot be extracted. The client could then use that to connect to your service via 2-way SSL.
Certificate request by PIN?
-
01-07-2022 - |
Question
I am looking for certificate management based on PIN. The system I would like to have is this: I give my client a PIN (e.g., on a piece of label note) and he can use it as proof-of-identity to send request and acquire a certificate (preferably through HTTPS?). Where can I find more detailed information regarding this technique? So far, I've checked the RFC of CMS but there is no mentioning that you can use a PIN as proof-of-identity (only if the client has some type of certificate).
Thank you very much for the hint!
Solution
OTHER TIPS
The system (PKI) just doesn't work like this. You would have to launch your own certificate management system -- purchase a sub-CA certificate from existing CA, then start issuing your certificates. Next, your scheme with giving a PIN to the user is insecure and the CA won't sell you the sub-CA certificate after reviewing it.
In general your task requires solid understanding of how PKI works and of security backgrounds. So the question is too broad for StackOverflow.