How do I silently request a specific SSL client certificate

StackOverflow https://stackoverflow.com//questions/24021998

Question

I have an ASP.NET MVC5 site that uses forms authentication, but is also using client certificates for an added layer of security by setting:

<security>
    <access sslFlags="SslNegotiateCert" />
</security>

The client certificate is optional because it isn't required until the user actually attempts to log into the site. When the user attempts to log in, the site will validate the Thumbnail, Issuer, and compare the Subject to the user attempting to log in (there will be a different certificate per user).The problem is that every time a user comes to the site they are prompted to provide a client certificate when they first enter the site, which may cause issues if:

  • they accidentally select the wrong certificate
  • want to log off & log back in with a different user (not re-prompted for a cert)

Is there a way to silently\automatically detect a client certificate based on the log-in provided rather than having the user select a certificate on first entering the site?

EDIT: Adding more specific example of Actual\Desired behavior

Actual Behavior:

  • User opens up Chrome and goes to http://www.example.com
  • Chrome pop-up asks user what client certificate they want to use
  • User chooses "user3 (www.example.com)"
  • User sees unauthenticated home page view & clicks the "Log In" button
  • User enters Username: "user2" and Password: "****"
  • Site validates that ClientCertificate.Subject == Username (fails because certificate is for "user3")

Desired Behavior:

  • User opens up Chrome and goes to http://www.example.com
  • User sees unauthenticated home page view & clicks the "Log In" button
  • User enters Username: "user2" and Password: "****"

  • Browser does something to silently detect if client has certificate "user2 (www.example.com)" with little to no user interaction

    Question: Is the "Desired Behavior" possible in some way? (header? javascript? browser plug-in?)

Was it helpful?

Solution

By default, and due to security issues, there is no way to select a certificate for the user at all when he is visiting a website.

The user can configure their browser to use a specific certificate for a website by default if he wants, but that's a different thing.

For the second part, the certificate is used to secure the connection between the browser (client) and the server, so if you want to use another certificate you should entirely finish the connection between the browser and the server, unfortunately you would need to close the browser and open it again for that to happen in most cases. Or by cleaning the certificate cache, but that needs to be done manually by the user in his browser.

You can find a very good explanation about how certificates and SSL works here:

https://security.stackexchange.com/questions/20803/how-does-ssl-work

OTHER TIPS

I am not aware of a way to do this within a single application. One way to do it is to create two asp.net-mvc applications. The second site would be a sub-directory application with the SslNegotiateCert in the sub-directory's web.config and contain all the secure methods/logins etc.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top