Certificates Auto Loading into browser


#1

Hello guys ,
I would like to know if someone could give me some documents or help about a php code that could load automatically a certificate into the browser such as let’s encrypt does ?
I didn’t find any infos about this on google.

Thanks,

ZeR0


#2

Hi,

I’m sorry… but can you kindly explain what you mean by

Thank you


#3

Hi! Welcome to the forum. It sounds like you are looking for a Let’s Encrypt “client.” Try searching within the page at https://letsencrypt.org/docs/client-options/ for “PHP.”


#4

Well , i’ve a server that create certificates using openssl , and i want te server to be able to install automatically this certificate in the client’s browser.

Sound good for you ? let me know


#5

Ok thank you jsha i will try to find it , but i create certificate on my own with openssl , i juste want to be able to load it directly in my browser using php without any interaction with my browser , except maybe just a pop up box to ask me if i want to install the certificate


#6

Except that it involves TLS certificates, it’s not remotely similar to anything Let’s Encrypt does.


#7

Do you mean to make the client trust the certificate without having it issued by an existing certificate authority? That would be contrary to the browsers’ existing security model.

The point of certificate authorities is that they can check and confirm whether a particular service is really operated by a particular domain owner. The browsers check that certificate authorities that they trust have appropriate policies and audits, and they also investigate incidents where certificate authorities appear to have behaved improperly. They don’t accept certificates that have been issued outside of this framework.


#8

If you’re only interested in making your browser trust the certificate, and you don’t need anybody else to trust it, you may be interested in https://letsencrypt.org/docs/certificates-for-localhost/.


#9

Mmmm i think there is a miss understanding of both side , or maybe just me probably , i just want to have a form where i can enter a serial , my php will check my Database to fetch the certificate previously uploaded , and load it in the browser , i mean without the need to click on Options > Advanced > certificates…
Is this understandable ? Or do i need to rephrase it ?

Regards
ZeR0


#10

Hi,

I understand this.

However,

Please define “load it to browser”

If you mean, database checked the serial and prove its valid, then it present the raw certificate (xxx.pem or whatever a text file) to you. Then that’s possible.

If you means, database checked the serial, pull the certificate and (then your domain is using that certificate to load). That’s a hard issue. (Like cPanel installing certificate in hosts/ domains)

The issue exist in these aspects:

  1. You can’t load a certificate to browser without reboot/restart your hosting software.
  2. Not all PHP files can execute those command line tool and Grant root access
  3. Your certificate might not be trusted.

Please explain more on this issue…

Thank you


#11

First Thank you for your answer ,
Then , For example on firefox that i use if you want to load(or import if your prefer this term) a certificate into your browser you have to open Preferences , then go to advanced , then select the certificates sub menu , and after this you can click on import.

I want my PHP script to do it automatically.

Thanks,
ZeR0


#12

I don’t believe this is possible, or that it should be possible–if it were, certificate validation would be meaningless, as the page could simply load its cert into the trusted root store in the client’s browser. But possible or not, what you’re wanting to do isn’t related in any way to anything Let’s Encrypt does.


#13

I know this is possible because CNRS site for example do this ,
And i wanted to ask it here because if i’m not wrong let’s encrypt have a similar function.
Jsha told me to ask it here


#14

Do you have a link to a URL on that site that does the kind of thing that you want?


#15

https://igc.services.cnrs.fr/load_certificate/?CA=CNRS2-Standard&lang=fr
here it is


#16

Hi @DiabetGuy,

Thanks for the example—that makes things a lot clearer. This feature appears to refer to a TLS client certificate. This is a different kind of certificate than Let’s Encrypt issues. It’s used to authenticate a user to a site, rather than to authenticate a site to a user.

You can indeed potentially do this in PHP, but the means of doing it isn’t necessarily familiar to anyone here because it’s a different area of technology than we deal with. Therefore, I would suggest asking on another forum, such as a general web development or PHP-related forum. If you mention that you want to create TLS client certificate support, hopefully someone can offer you useful advice.

There are two parts that you have to deal with: how to create the certificates, and how to make the web server accept the certificates for authentication purposes. Both of these are technical questions that should be solvable but that, again, are probably outside of the expertise of the participants in this forum. And this isn’t a service that Let’s Encrypt offers.


#17

I did a Google search for “tls client certificate php” and I found, for example,

https://cweiske.de/tagebuch/ssl-client-certificates.htm

which seems to have some relevant advice. Also

https://veewee.github.io/blog/authenticating-with-x509-client-certificates/

Hopefully these can point you in the right direction.

(Other terms that you might encounter to refer to the same technology are “TLS client authentication” and “X.509 client certificates”.)


#18

Thank you for you anwser it help me a lot ! I will read all theses things , thank you again and sorry to didn’t be more efficient to describe what I wanted.


#19

I’m glad this will help you make progress. The reason that people here were confused is that loading a client certificate into a browser is not a big deal (it just gives the client a new ability for authentication), while loading a server certificate into a browser is a very big deal (it makes the client trust new entities, which can enable new kinds of attacks). This is kind of like how the ability to deposit into a bank account is often relatively uncontrolled, but the ability to withdraw from the account should be carefully restricted.

This analogy is pretty imperfect, but it reflects the idea that making a deposit to an account (like installing a client certificate in the browser) is giving something to the account holder, while withdrawing from the account (like installing a server certificate in the browser) is asking the account holder to surrender something or give something up.

Or another analogy could be that the passport authorities of a government won’t care if you want to issue a private company ID (which you decide how to authenticate and validate for yourself), but they will care if you want to issue passports, or if you want to request them to accept your company ID for official government purposes.

People were also confused about your question because Let’s Encrypt only issues server certificates, not client certificates, so we don’t usually think about client certificates very much. To continue my second analogy, it’s kind of like if you had decide to issue a private company ID card, and you then went to the passport office and said “Hello, can you tell me how I can issue identity documents?” — the passport office workers would probably say “But you can’t issue identity documents yourself, only we can issue them!”, even though in the larger sense this depends entirely on what kind of identity documents you’re referring to.

And indeed, there are certain kinds of identity documents that you definitely can issue, even though the passport office staff normally aren’t used to thinking about those documents. :slight_smile:

Good luck with your project!


#20

Yes I understand the reasons thank you for your writing
And also thank you again for the help :slight_smile: