将客户端证书映射到用户帐户的最佳做法是什么? [英] What are the best practices to map a client certificate to an user account?

问题描述

我们有一个专有框架，现在我们希望集成客户端ssl证书的身份验证.将客户端证书映射到专有用户帐户(例如数据库中的简单用户表)的最佳实践是什么?

• 保存到证书的公钥吗?
• 是否保存发行人和序列号?

或者还有其他可能性吗?

解决方案

您是否正在颁发证书(并且可以设置证书的某些字段)?这些证书是否必须与更大的PKI环境(例如电子邮件签名)集成(我是说您有X.509互操作性梦m)?

如果您可以为用户创建证书颁发机构，而不必关心外部系统，则可以为每个客户端证书提供一个通用名称属性，该属性直接映射到您的用户帐户.因此，您可以检查客户端证书是否由用户证书颁发机构签名，然后匹配证书CN属性.

当签名证书的数量有限且众所周知时，我建议存储此证书并检查客户端证书，并仅在它们由签名证书之一签名的情况下接受它们.然后，您使用证书颁发机构为每个用户唯一设置的证书字段(当更新用户证书时，证书字段保持不变，许多合作使用户证书在大约一年后超时)，将该字段与您的用户数据库连接./p>

如果您不能颁发证书，则可以将证书的哈希存储在数据库中，但是这样做的缺点是，当证书过期时，您需要更新数据库.哈希对于每个证书都是唯一的，而证书的大多数字段都可以被欺骗.

您可能还需要检查签名证书颁发机构的证书吊销列表，以便没有用户可以使用被盗的证书访问您的服务.

We have a proprietary framework and now we want to integrate the authentication by client side ssl certificates. What are the best practices to map a client certificate to a proprietary user account (for example a simple user table in the database)?

• Save to public key of the certificate?
• Save issuer and serialnumber?

Or are there other possibilities?

解决方案

Are you issuing the certificates (and have a possibility to set some fields of the certificate)? Does these certificates have to be integrated with a larger scale PKI environment like email-signing (I mean have you the X.509 interoperability nightmare)?

If you can create a certificate authority for the users, and have not to care about foreign systems, you can give each client certificate a common name attribute which maps directly to your user account. So you can check if the client certificate is signed by the user certificate authority and then match the certificate CN attribute.

When there is only a limited and well known number of signing certificates then I recommend to store this certificates and check the client certificates and accept them only if they are signed by one of the signing certificates. Then you use a field of the certificate which the issuing CA sets uniquely for each user (which stays equal when the user certificate gets renewed, many cooperations let user certificates time out after about one year) to connect this field with your user database.

If you can't issue the certificates you can store the hash of the certificate in the database, but this has the drawback that when a certificate runs out of date you need to update the database. The hash is unique to each certificate, while the most fields of a certificate can be spoofed.

You may also want to check the certificate revocation lists for the signing certificate authorities, so no user can access your service with a stolen certificate.

这篇关于将客户端证书映射到用户帐户的最佳做法是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！