How does authentication with digital certificate work?

Asked

Viewed 3,396 times

12

I want to authenticate via digital certificate in a web application.

I have been able to read the data of my digital certificate that is connected to my machine.

The question is: "How to authenticate?".

I must take the public key and serialNumber, save in my production database and check if they are equal to local data?

I don’t know if I got it right, but there is an xml signing concept that I believe is: you save your certificate data in some AC and then check if the data is there.

Summarizing everything as is the correct cycle for authentication?

From now on, I thank you.

java web-application spring certified

  • You are using spring security?

  • Yes @Renatovieiradantas

  • See if this link helps: http://www.baeldung.com/x-509-authentication-in-spring-security

  • When you say certificate, you mean e-CPF or e-CNPJ?

  • Should I take the public key and serialNumber, save it to my production database and check if it matches the local data? No, the certificate is valid, so it is not enough. You need to provide means for the user to update his certificate after expired or use an official certificate of identification of person as those of ICP Brazil, in case e-cpf or e-CNPJ.

1 answer

8

Authentication with digital certificate works as follows:

The server, with a valid certificate, needs to request a valid certificate based on a Pre-configured root certificate list on your web server. The customer’s certificate then needs to belong to this certification chain. This process is called SSL/TLS Handshake.

TLS Handshake happens (and is completed) before any HTTP requests are sent to your application. And Handshake involves multiple messages between client and server and vice versa.

Here is a more detailed description of Handshake SSL/TLS applied to a login situation.

Therefore, any SSL requests are sent only after SSL / TLS layer is ready.

Should I take the public key and serialNumber, save in my production database and check if they are equal to the local data?

No, the certificate serial is unique, but the certificate is valid, so it is not enough. You need to provide means for the user to update his certificate after expired or use an official certificate of identification of person as those of ICP Brazil, in the case of e-CPF or e-CNPJ. If your case is to use the e-CPF or e-CNPJ you can link through the CPF or CNPJ that can be extracted from "DN_CN" of the certificate.

Some methods use an applet to create a web server to perform this Handshake stream on the user’s machine using applet, and transport the public certificate data in an encrypted form to the application. This is how the API of Certisign Login works. But we know that browsers are eliminating support for this technology and we should avoid implementations of this type to not limit the browsers supported by our application.

The question is: "How to authenticate?".

You can implement in a similar way, a subdomain configured to request the certificate, serialize this information and finally encrypt this information, and then carry out a communication with the main application and then authenticate the user.

inserir a descrição da imagem aqui

This was the way I implemented in my project, the goal is to allow login (or another action authorization within the account) or create the account.

Browser other questions tagged java web-application spring certified

You are not signed in. Login or sign up in order to post.