The form performed by the Certisign Login button is very limited, only JAVA and . NET are supported. Sites that use this technology are bound to have many problems, because it depends on customer configuration, which is precisely the advantage of having web systems.
Serasa for example, in the method that tests the digital certificate, in its code it declares a "javascript" pointing to this PHP, which generates a code dynamically, that does nothing more than declares a variable like this, allowing the reading via javascript:
var requestOk = {
'data':'04/04/2017 Ã s 10:58',
'titular':'[email protected]',
'tipo':'0',
'validade':'09/09/2016 até 09/12/2019',
'renovar':'0',
'dias':'979',
'serasa':'0',
'empresa':'StartCom Class 1 Client CA'
};
Their page that does this work is this: https://serasa.certificadodigital.com.br/wp-content/themes/serasaLoja/testeRequest1/testeRequest.php
Observing: Only if you have a valid certificate on the machine will you be able to view this response. You can download and install this Lacunasoftware test certificates: https://github.com/LacunaSoftware/RestPkiSamples/blob/master/TestCertificates.md. This company has a solution that claims to be cross-browser, but never tested because the cost (R$0,50/request) makes it unviable for certain projects.
Therefore, the only way to perform this validation is in the backend. However, it is not that simple, it is not possible to do this only with PHP, because the certificate negotiation happens even at the network layer, when you are opening a connection on the web server, even before PHP is processed.
What is done is this:
- A configuration is activated on the WEB server that Checks the client’s certificate.
- The Navigator understands this and opens this dialog box for the client to allow access and select the certificate, according to the image:
- After the client selects the connection to the server follows normally, and the variables are exported as environment variables that can be easily read on $SERVER, keys starting with "SSL"
Each web server has a way to accomplish this. Here is how it is configured in Lighttpd: https://redmine.lighttpd.net/boards/2/topics/5157?r=7273#message-7273. And here (in English) an article that shows how it is done in PHP using Apache https://cweiske.de/tagebuch/ssl-client-certificates.htm
So the answer that "Not possible with Chrome and other browsers" is not true, the difficulty is great but not impossible.
Using Certisign Login is just a simpler stopgap, but it only works for national websites and depends on the JAVA installed on the clients and/or active ex for .NET. However, you are limited to language and complex client installation. Chrome itself eliminated the possibility of JAVA applets leaving only Firefox and IE (with activex) which makes this method very restrictive.
About obtaining the certificate CPF/CNPJ, the ones I have for testing are from "SOLUTI", they contain in CN after the name the character : separates the numerical sequence from the CPF or CNPJ and can be extracted in this way.
If you work with other certifiers please leave in the comment of this reply if it also expresses in this way the number of the CPF or CNPJ.
There is still today this difficulty of native support in the browsers, but I believe that in the future the tendency is that it is simpler and safer to obtain certificate certificate without mirabolantes alternative resources of programming, empowering purely web applications to obtain this information with the user’s permission.
The new address of the Rasa test is this: https://serasa.certificadodigital.com.br/test/ and strangely it didn’t work on my Mac but it worked on my Windows, but I don’t know if this limitation even exists
– melanke
On Mac there are other security mechanisms, vc need to allow the browser to access the OS certificate repository.
– LeonanCarvalho
Not every certificate has the CPF in the CN field (example - see section 7.1.4) - although for eCPF you always will, but anyway, the right place to get this information is in the Subject Alternative Names extension (see section 7.1.2.3 of the linked document)
– hkotsubo
https://answall.com/questions/171093/como-funciona-a-autentica%C3%A7%C3%a3o-com-certificado-digital/198803#198803
– LeonanCarvalho