Certificate Based user authentication


#1

I have a fully implemented TLS Lets Encrypt configuration and it all works fine.
Users log in to the secure website with their username and password,

I want to follow this guide to client side certificates https://gist.github.com/mtigas/952344
rather than using a self signed CA I’d like to use my LetsEncrypt certificate to authenticate user certificates.

*I’ve never used client certificates before, i’ve used user keys from openssl for ssh.

The aim of this is for users to login using the user/pass and then be able to create a certificate, to store and no longer require password based logon.

any tips on how to do this?


#2

I believe it is stated somewhere in the FAQ that LE certs aren’t intended for user authentication.


#3

While certificates issued by Let’s Encrypt have the id-kp-clientauth extension typically required for client authentication, private CAs are usually the better approach here. Let’s Encrypt issues Domain Validation certificates, so you’re basically handing out certificates (and private keys) for whatever domain you decide to put in the certificate. That’s not to mention that you’ll run into rate-limits quite quickly (5 per identical domain per week, 20 per registered domain per week). It’s also not really necessary (in this case) to trust a third-party never to mis-issue a certificate that you might end up accepting as a login mechanism, so a private CA is likely the safer option as well.


#4

Thank you both for your answers, i’ll look further in to using a private CA


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.