Authentication based on digital certificates

spanish · October 16, 2020, 6:02pm

Hello,

I would like to enable authentication based on digital certificates in Plone. Is this currently possible? What documentation should I study?

Thank you for your help and best regards,

Manuel

h2o · October 17, 2020, 2:06pm

We configure it through the web server.

In NGINX, a basic configuration will just need one additional line:

ssl_client_certificate /etc/ssl/server/example_ca.crt;

The above certificate (and corresponding private key) is used to sign client certificates. The signed client certificates are added to users' browser. Only clients with signed certificates will be able to access. It is more complicated if you want to limit access depending on values on client certificates (i.e: based on common name).

You can use openssl to generate certificates, certificate signing requests, and keys. The process is not much different for generating server certificates.

If you are familiar with PFSense (firewall), it has a feature to generate certificates from its web user interface.

spanish · October 17, 2020, 3:30pm

Thanks, h2o,

This is very interesting (I'll try it).

In my case I am trying to find out how to use certificates issued by third parties for authentication on Plone.

More precisely, how to validate from Plone a third party certificate via OCSP:

Only visitors with OCSP-validated third-party certificates can log in to Plone.
And, if possible, that such validation would log them into their associated user account.

Do you think your solution would also work with third party certificates?

And how would the OCSP validation be done?

In my case, I would like it to work with certificates of individuals from the FNMT of Spain, whose OCPS validation address is http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder

Thank you for responding!

Hugs,

Manuel