[Extension] login via SSL client certificate

I created an extension for yii2 that performs an automatic login if the client provides a HTTPS client certificate that is associated with an identity / user.

Hi @fphammerle I really need this extension. can you elaborate more on how to implement this?

  1. how can I generate the certificate files?
    2.where I store the certificate files locally and which files?
  2. how to handle multiple users?

TIA,

Daniel

Hi Daniel,

as a first step you need to configure your webserver to request client certificates.

What webserver do you use?

For apache you can follow the steps here:

Does this guide help you?

ad question 1)
in addition to your server certificate you’ll need to create an additional certificate that you’ll use to sign the cert signing requests of all users.

  1. create a CA server certificates (e.g. via openssl req -x509 -newkey rsa:4096 -keyout ca-key.pem -out ca-cert.pem -days 3650) on a secure device
  2. copy the CA certificate to the webserver and configure the webserver to find it (apache: SSLCACertificateFile)
  3. ask your users to send you PKCS#10 certificate request (CSR).
    the CSR’s distinguished name should clearly identify each user (e.g. “CN=Fabian Peter Hammerle,C=AT”)
  4. sign those CSRs with the cert/key pair created in step 1.
    send back the resulting client/user certificates to the individual users.
    the users’ browser will send the client certificate to your browser on each HTTP request.

ad question 2)
each user/client certificate that a browser sends to your webserver needs to have a “distinguished name” field.
the plugin will use the “distinguished name” to map the certificate to a user.

Thank you @fphammerle, I will try and let you know the result

Btw, I have not yet tested this, but is this suitable for this condition?

I have terminal client where 2 users are using. I want to limit them only to be able to login from this terminal and not from mobile phone or other pc.

In the meantime, a supervisor or owner can also login from this terminal client. Owners and supervisors can also login from any computers.

Can I implement this situation with your extension?