Client Side Certificates

Hi,

I am not sure if this is the right place for this… but here goes anyway.

I am developing a web site which I need to use Client Side Authentication by way of certificates to validate registered users of the site. I was just wondering if anyone is doing this, and if so how have they deployed the certificates to the clients? I was thinking of secure e-mail for the certificate, and then sending the password to the certificate via secure text message. If I implement that approach I will have to generate the certificates on the fly as it were -> PHP calls shell script containing openssl commands. I think there are probably security implications to that approach, as you are blindly signing certificates. I can’t think of any other way to do it. If I was to generate the certs “offline” as it were, I think that might render the whole thing unusable, and I would have to be available 24/7 to generate the certificates.

Any ideas greatly appreciated?

/jlar

I never done it myself but I’ve seen it once deployed by one ISP. IIRC you gave them your password and they generated a PKCS12 token on-the-fly for you which you were supposed to store on your machine to streamline logins to access account info. They stopped doing this after a while and went back to password authentication. Maybe users kept misplacing those tokens.

I know one bank that uses a Security Token. This is a physical device and less likely to be lost as they charge you money for one.