Edit on GitHub

Certificate authentication

It is possible to authenticate users based on their X.509 public key certificates. This process is roughly outlined below:

  1. Generate a cryptographic nonce
  2. Ask the user to perform a signature algorithm computation on the nonce using his private key
  3. Verify the nonce signature with the user certificate's public key
  4. Validate the user's certificate
  5. If everything checks out, the application can trust that the user is indeed the subject of the certificate. Then, based on a key information on the certificate (e.g.: email address or ID number), locate the user on the database and complete the sign-in process
Note

This is merely an overview. There are extra steps involved, such as validating that the nonce has never been used before in order to prevent replay attacks.

To implement this process, you need to perform operations on both the front- and backend:

The signature algorithm computation over the nonce must necessarily be done on the frontend because the user certificate's private key might be on a cryptographic device that never allows exporting it. Moreover, even if the private key is software-based, it is a bad practice to ask the user for it.

The generation of the nonce and all validations must be done on the backend, for obvious security reasons.

The recommended way of implementing certificate authentication is using Rest PKI together with Web PKI.

  1. Access the Rest PKI documentation
  2. Choose a programming language
  3. Choose one of the samples projects for your programming language
  4. Follow the steps to run the samples project
  5. Once you get the project running, click on Authentication with digital certificate
Tip

Although the solution involves both Rest PKI and Web PKI (for the back- and frontend respectively), you should focus on the Rest PKI documentation, which shows the usage of both products integrated.

Alternative implementations

If your application is a .NET application (C#, VB.NET, C++.NET), you can also use the PKI SDK on the backend with Web PKI on the frontend. See article Certificate authentication.

If you already own a 3rd party crypto SDK or if you wish to implement the backend code yourself, you can also use Web PKI just for the frontend part.