How does digital certificate authentication work?

10

I want to authenticate via digital certificate in a web application.

I have already read the data from my digital certificate that is connected to my machine.

The question is: "How do I authenticate?".

Should I get the public key and serialNumber , save to my production bank and check if they are the same as the local data?

I do not know if I understood correctly, but it has a concept of signing xml that I believe it is: you save the data of your certificate in some AC and then check if the data is there.

In short, what is the correct authentication cycle like?

Thanks in advance.

    
asked by anonymous 12.12.2016 / 19:07

1 answer

5

Digital certificate authentication works as follows:

The server, with a valid certificate, must request a valid certificate based on a list of pre-configured root certificates in your web server . The client's certificate then needs to belong to this certificate chain. This process is called SSL / TLS Handshake.

The TLS handshake happens (and is completed) before any HTTP requests are sent to your application. And the handshake involves multiple messages between the client and the server and vice versa.

Here is a more detailed description of the SSL / TLS handshake applied to a login situation.

Therefore, any SSL requests are sent only after the SSL / TLS layer is ready.

  

Should I get the public key and serialNumber, save to my production bank and check if they are the same as local data?

No, the certificate's serial is unique, but the certificate has validity, so it is not enough. You must provide the means for the user to update their certificate after expiration or use an official certificate of identification of person such as ICP Brasil, in the case of e-CPF or e-CNPJ. If your case is to use e-CPF or e-CNPJ you can link through the CPF or CNPJ that can be extracted from the " DN_CN "of the certificate.

Some methods use an applet to create a web server to perform this handshake flow on the user's machine using applet, and transport the public data of the certificate in encrypted form to the application. This is how the Certisign Logging API works. However we know that browsers are eliminating support for this technology and we should avoid such implementations so as not to limit browsers supported by our application.

  

The question is: "How do I authenticate?".

You can similarly implement a subdomain configured to request the certificate, serialize this information, and ultimately encrypt this information, and then communicate with the primary application and then authenticate the user.

This was the form I implemented in my project, the goal is to allow login (or other action authorization within the account) or create the account.

    
17.04.2017 / 22:22