[slightly OT] PHP/SSL - client certs how to distribute ?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Richard Shea
    #1

    [slightly OT] PHP/SSL - client certs how to distribute ?

    Hi - Hoped someone who's done this could provide some pointers. I'm
    interested in developing a script which would make use of
    openssl_x509_re ad to read a certificate presented in the HTTP headers
    when accessing an SSL page.

    But here's the question ... what are ways of distributing certificates
    to the clients ?

    Imagine I have 3 customers in total but when foo.php is requested I
    only want 2 of them to see a full response. I could go around to their
    offices and install the client certificate and everything would be
    fine - but what happens when there are 200 or 2000 certificates to
    install ? Bearing in mind I need to be sure that only the right people
    are getting a certificate.

    I'm sure it's not a new question but can anybody point me in the right
    direction please ?

    thanks

    richard shea.
    Tags: None
    • Kevin Thorpe
      #2
      Re: [slightly OT] PHP/SSL - client certs how to distribute ?

      Richard Shea wrote:
      [color=blue]
      > Hi - Hoped someone who's done this could provide some pointers. I'm
      > interested in developing a script which would make use of
      > openssl_x509_re ad to read a certificate presented in the HTTP headers
      > when accessing an SSL page.
      >
      > But here's the question ... what are ways of distributing certificates
      > to the clients ?
      >
      > Imagine I have 3 customers in total but when foo.php is requested I
      > only want 2 of them to see a full response. I could go around to their
      > offices and install the client certificate and everything would be
      > fine - but what happens when there are 200 or 2000 certificates to
      > install ? Bearing in mind I need to be sure that only the right people
      > are getting a certificate.
      >
      > I'm sure it's not a new question but can anybody point me in the right
      > direction please ?[/color]

      We've been there with mixed results. Admittedly we tried PKI certs 4
      years ago and noone understood them. We even had IT departments telling
      us that they couldn't install them as they were a security risk!

      Our final version was entirely web based using a set of CA authority
      scripts. We solicited the initial certificate contents, an e-mail
      address and a password using a web based form. We then validated those
      here, generated the certificate and e-mailed a confirmation for the
      originator to collect their ceritficate. You can automatically add a
      certificate from a webpage.

      I suggest you look at www.thawte.com and see how they do it.

      We also experimented with business card CDs with generated certificates.
      That seems to work well as people understand that it's a 'key' to the
      website and to keep it safe, often in their wallet.

        Comment

        • Richard Shea
          #3
          Re: [slightly OT] PHP/SSL - client certs how to distribute ?

          Hi Kevin - thanks for your reply, sorry for slow response I have got a
          cold and so things have slowed down.

          Found your reply very interesing and useful - particularly thought the
          'business card' CD's an interesting idea - only dimly aware such a
          thing existed I will check them out. Also your other approches looked
          good so thanks again for all the info.

          regards

          richard shea.

            Comment

            Previous template Next
            Working...