Authentication with digital certificate works as follows:
The server, with a valid certificate, needs to request a valid certificate based on a Pre-configured root certificate list on your web server. The customer’s certificate then needs to belong to this certification chain. This process is called SSL/TLS Handshake.
TLS Handshake happens (and is completed) before any HTTP requests are sent to your application. And Handshake involves multiple messages between client and server and vice versa.
Here is a more detailed description of Handshake SSL/TLS applied to a login situation.
Therefore, any SSL requests are sent only after SSL / TLS layer is ready.
Should I take the public key and serialNumber, save in my production database and check if they are equal to the local data?
No, the certificate serial is unique, but the certificate is valid, so it is not enough. You need to provide means for the user to update his certificate after expired or use an official certificate of identification of person as those of ICP Brazil, in the case of e-CPF or e-CNPJ. If your case is to use the e-CPF or e-CNPJ you can link through the CPF or CNPJ that can be extracted from "DN_CN" of the certificate.
Some methods use an applet to create a web server to perform this Handshake stream on the user’s machine using applet, and transport the public certificate data in an encrypted form to the application.
This is how the API of Certisign Login works. But we know that browsers are eliminating support for this technology and we should avoid implementations of this type to not limit the browsers supported by our application.
The question is: "How to authenticate?".
You can implement in a similar way, a subdomain configured to request the certificate, serialize this information and finally encrypt this information, and then carry out a communication with the main application and then authenticate the user.
This was the way I implemented in my project, the goal is to allow login (or another action authorization within the account) or create the account.
You are using spring security?
– Renato Vieira Dantas
Yes @Renatovieiradantas
– Jose Vieira Neto
See if this link helps: http://www.baeldung.com/x-509-authentication-in-spring-security
– Murillo Goulart
When you say certificate, you mean e-CPF or e-CNPJ?
– LeonanCarvalho
Should I take the public key and serialNumber, save it to my production database and check if it matches the local data? No, the certificate is valid, so it is not enough. You need to provide means for the user to update his certificate after expired or use an official certificate of identification of person as those of ICP Brazil, in case e-cpf or e-CNPJ.
– LeonanCarvalho