0

I have to authenticate a consumer of our REST API by authenticating their client certificate and I'm a little confused as to how to authenticate the client.

Is it enough to store the CA cert in my local store, send the client the certificate (edit: through email or some other form, not the API), and have them attach the certificate to each API call. On my side I would validate the chain, then load the user by serial number (i.e. map serial number to user) and then go from there?

Is this totally secure or would I need to add some other validation i.e. username in the CN, etc.?

Also would there be any security concerns using the same certificate for the client to post to the server and the server to post to the client?

Eitan
  • 1,434
  • 6
  • 21
  • 53
  • Short: this is not a good practice. The certificate should be handed out to the client by another channel than the API itself. EG via a trusted authorithy, which can be yourself, an extrenal company or a department (and send it by mail). A Certificate merely represents the trusted client, and you can only trust them if you, or a trusted delegate, knows them. Ergo: "Also would there be any security concerns using the same certificate for the client to post to the server and the server to post to the client?" Answer: yes. – Caspar Kleijne Jan 28 '19 at 21:03
  • @CasparKleijne ok that makes sense! If I may ask why would it be a security concern to use the same cert to validate clients on the server as well as encrypt traffic to the client? Edit: I guess if I think about it, I know. Someone can just access the API in the browser, save the certificate, and then use it to authenticate. – Eitan Jan 28 '19 at 21:07

1 Answers1

0

Try this great post about client auth with certs: Using client certificates in .NET part 8: working with client certificates in OWIN/Katana

Max
  • 751
  • 6
  • 10