View Full Version : Digital certificate autentication

04-12-2012, 12:41 PM
Hi all,

I've read a lot of documentation but I don't find the concrete way to resolve my question, surely it's because there must be some concepts I have no clear, so I need someone who could put me on the right track.

I need to develop a PHP application that provides autentication but not in the usual way username+password. It should ask for a digital certificate that the user must have installed in his browser. The particular thing is that the certificate must be valid for an existing Certificate Authority (CA), that is, I don't want to create my own self-signed root certificate and then give the user his valid certificate for my root certificate; the user already has his own digital certificate (standard for a well-known CA in Spain: the FNMT) and that certificate will be the right one to autenticate in my PHP application.

So, the process will start when the user connects my application, the browser will ask him for a digital certificate (from the several installed in the browser), so he will accept and will send his certificate to my application, that will check if the user certificate is valid for the mentioned CA, and then allow the access.

I'm not sure if I've explained myself well, but I've searched documentation and made some tests, and I'm not clear about it:
- Must I install the CA root certificate in my Apache or is enough to validate the user certificate with the .pem file (from the CA) using openssl?
- Must I create a virtual server for my application so the connection is made through https:// or can my application ask the user for his certificate without need of https://?

The experts will see that I'm not clear at some key concepts, but in short all I need is that my application asks the user for his certificate, and then check that the certificate is correct for the CA.

Thanks and I wish somebody could help me! :confused:

04-12-2012, 05:27 PM
Best I know you have to be in SSL mode to to gather certs from client. PHP should have a number of SSL options available under the $_SERVER superglobal. Check under the SSL_CLIENT_CERT to see if that's where it is.
I'm not sure how it gets there though. I've never written a PHP app that requires the use of a CA.
You'll need to figure out the CA, and then issue an OCSP lookup, but I don't think PHP has this functionality built in. That means you'll either need to execute openssl directly with an exec() style function (the easy way), or connect manually through sockets and communicate (doesn't sound fun). OpenSSL library should let you at least parse the cert to get the info you need though.
Not sure how you have to configure apache to accept it though.

04-19-2012, 09:07 AM
Thanks Fou-Lu, I was already working on the command-line openssl call from PHP with exec(), and I got the server side working right.
There is a PHP library that can be used as well (http://php.net/manual/en/ref.openssl.php), but I'm not an expert and I've read about people having troubles with it.
I've found more problems in the client side (the browser asking for the certificate, because each browser works its own way), trying to get the user certificate. Once I get it, it's easy to deal with it in the server with PHP.
I'll continue working on it, thanks very much for your help.