2

Given a SSL-protected site that was formerly whitelisted (Allow from x.x.x.x etc), and and a requirement from a customer to change the way authentication works, to use X.509 HTTPS Client verification.

The problem with this is that none of "the usual suspects" of SSL CAs have the ability to generate X.509 certificates without buying into the CA's Managed PKI service.

I've only ever done this for internal clients only, so it's easy enough to generate a self-signed CA, and drop the CA's public certificate into the clients' keychains. For external customers, it's a bit less easy to do, and to convince them to do it.

So it seems that the options are : Go down the route of a managed PKI service. - Apparently this is prohibitively expensive and would mean replacing the internal CA stuff too?

OR

Get a CA to sign their root certificate.

Is that right? Has anyone done something similar before? Does anyone know a ballpark estimate for what a Trusted Root might cost?

This is not a shopping question.

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148
  • Why not just use a CA's regular client signing service? Why do you need these certificates to be trusted by anyone but you? – David Schwartz Mar 26 '13 at 12:00
  • Wasn't able to find one that didn't require their full PKI solution. – Tom O'Connor Mar 26 '13 at 12:01
  • Here [one](http://www.tbs-x509.com/certificats_clients_tbs.html.en). But you don't need your certificates to be trusted by anyone but you anyway, so [you don't need a CA to sign anything](http://serverfault.com/a/382782/91987). – David Schwartz Mar 26 '13 at 12:07
  • Doesn't the customer still need to trust the CA that generated the client certificate? – Tom O'Connor Mar 26 '13 at 12:14
  • Trust it to do or prove what? The server is trusting the client certificate to identify the client. The client isn't trusting it to do anything. – David Schwartz Mar 26 '13 at 12:15
  • The server certificate (for apache) would have to be self-signed too, no? – Tom O'Connor Mar 26 '13 at 12:17
  • It doesn't have to be. I would think you would prefer the server certificate to be signed by a CA so that clients can accept it without having to manually add or approve a certificate. – David Schwartz Mar 26 '13 at 12:24

1 Answers1

0

If the customer is willing to install client certificates in their users' web browsers to access your site anyway, then using a self-signed CA really isn't that much of an issue, since you can just throw in that certificate as well while you're at it.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972