How do you change from software to token client authentication?

StackOverflow https://stackoverflow.com/questions/20474902

Question

Hello and thanks for taking time to view my post.

I have a Client-Server suite with J2EE Applications on the server side and nothing but a browser (IE or Firefox) on the client side. Currently I use x509 (PKCS#12) software certificates on the client for two-way authentication.

The server certificates are expiring at the end of the month, so I requested new certificates and received quite a surprise. The new server certificate chain didn't match any part of my client certificates and are not interoperable. After an in depth conversation with the Local Registration Authority (LRA) I found out that the network that these servers and the clients reside on are migrating away from software certificates and towards a hardware token (smart card).

I've spent the past few days scouring the web trying to figure out what it is that I need to do to change from PKCS#12 software certs to PKCS#11 token certs. I have found a lot of information... actually too much information. And that is my problem.

Pretty much all the information that I've found talks about the Common Access Card (CAC), and the token that I'll be using is very similar... but I haven't found any information that tells me how to make the client web browser prompt the user for a smart card instead of a software certificate. I'm using WebLogic 12c servers and the server configuration is the same, regardless of what flavor of certificate I'm using.

I'm starting to suspect that it's the browser that makes the call as to what certificates to prompt for based upon certificates that it has 'seen' before. I use my CAC to log onto several sites, but have never been prompted to use my CAC to log into my development servers. The browsers only show me certificates that are compatible with the server certificate chain.

Is it possible that switching from software certificates to a smart card for client authentication is as simple as getting server certificates that are signed by the same Certificate Authority as the smart card?

This isn't something that I can just try... the process that I'd have to go through in order to get a server certificate signed by the same CA as my CAC is complex and I'd have to justify it. It can be done, just not easily and I'm hoping for more information before I go that route.

Thanks in advance for any information you can provide.

v/r Ace

Was it helpful?

Solution

I decided to go ahead and climb the mountain of red tape and requested and received test server certificates, tokens, readers, token reader middleware, etc...

To answer my own question: Yes, the act of changing out the server's certificate with one that contains a certificate signed by the same certificate authority chain causes the browser to prompt you for the token.

Note: You'll also need to install and configure whatever middleware that you need for the token reader... but you probably already knew that. :)

-Ace

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top