I am currently working on deploying a website for staff to use remotely and would like to make sure it is secure.
I was thinking would it be possible to set up some kind of certificate authentication where I would generate a certificate and install it on their laptop so they could access the website?
I don't really want them to generate the certificates themselves though as that could easily go wrong.
How easy / possible is this and how do I go about doing it?
What you are looking to do is called two way ssl authentication
How to implement it is going to vary based on your web server.
tinyca2 is a nice graphical front-end to generate certificates. It is packaged for both Debian and Ubuntu Linux distributions. You will be able to generate the keys and certificates for the server and clients. They can be exported in a number of formats. I would recommend documentating proceedures for installing your ca-certificate as well as the client key and certificate. Setting or changing the password on the client key by your users should also be covered.
I second using mod-rewrite to force access to https://.
Wow, if you're using apache you can use mod_rewrite to force the use of SSL and in your httpd.conf you also need to use the 'SSLVerifyClient require' and 'SSLVerifyDepth 4' directives in your *:443 virtual host.
For the rewrite rule you can use something like this:
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
Hope this helps.
Security is a larger question than the authentication or authorization mechanisms in use.
Most security people leverage a few basic principles generally:
Then apply that to assets, in your case, a webserver, an operating system, and potentially a web application and underlying database - really the business though!
For the above technology infrastructure, I would ask if you have applied proper security hardening to each, e.g. DISA STIGs, NSA SRGs, CIS guidance, or vendor security practices. Afterwards, I'd look into the code of the web applications, and other things.
Getting to your specific question about certificates - what is a digital certificate? It is a public key, embedded into a digital certificate, with some fields in it, typically x509v3. A digital certificate is effectively an encryptor, that uses a decryptor (private key) in order to authenticate, sign, or perform some other type of transaction.
Certificates have no confidentiality generally, private keys have confidentiality and require protection. However, using private keys on an operating system may mean they are exposed and compromised. One piece of malware can be all it takes to get in. Consequently, higher security environments such as companies and governments commonly use a hardware device to store private keys and enable a more secure authentication process.
If you are not doing this for a more secure environment, software certificates may be good enough for you.
Depending on the operating system you are using, you may have a very simple path ahead using certificate based auto-enrollment schemes like SCEP or microsoft's certificate services.
Microsoft's implementation is easy to follow at http://msdn.microsoft.com/en-us/library/bb643324.aspx and you can find other competing solutions for easier auto-enrollment PKIs.
You can share a few of your needs with above links with your network administrators and ask them to start testing it out.
