Client Authentication Certificates
A Note of Clarification:
There are two sorts of cryptographic certificates that are typically used
with web-browsers, and their names are superficially similar, so just to
avoid confusion:
Certificate Authority Certificates
(the purpose of which is to authenticate a server to the
user)
should not be confused with
Client Authentication Certificates (the purpose
of which is to authenticate the user to the server).
This page is about Client Authentication Certificates.
A Brief Introduction to Client Authentication Certificates
Client Certificates are cryptographic keys that some websites use to authenticate users. The basic idea is that rather than users having to remember and enter a user ID and password combination to authenticate themselves, instead, a cryptographic key can be installed into their web-browser that uniquely identifies them.
The advantages of client athentication certificates are:
-
The user does not have to remember a user ID and password because their browser remembers the cryptographic keys (although passwords can optionally be used if the client keys are to be used on shared or public computers).
-
Client authentication certificates are more secure than passwords, because typical hacking techniques such as password guessing, or "phishing" for a user's password, don't work on them.
-
Client authentication certificates use reliable hard cryptography, so they are unbreakable by contemporary computers.
The disadvantage of cryptographic client authentication certificates is that they need to be installed into one's browser. Installing a client key is not difficult, although it is something that most computer users are not familiar with.
This page provides step-by-step tutorials describing how to install a client authentication certificate into the most commonly used browsers.
Installing a Client Authentication Certificate into your Browser
The process for installing a Client Authentication Certificate into your web-browser is basically the same regardless of which browser you are using:
The system administrator (of the website you are trying to connect to)
will provide the actual key for you - it will be a small file usually
with a .p12
extension. Sometimes the .p12
file may be protected
by a password (your system administrator will tell you) and if there
is a password then your browser will ask you for it, but if there is no
password and yet your browser asks for one, then just leave the
password field blank.
In most web-browsers you can open Preferences or Settings, and
find a Privacy or Security option in there somewhere, and among
the security settings there will be an option named something like
Manage Certificates or View Certificates. Once inside the
certificate management facility there will be a button allowing you to
Import the .p12
file. The whole process isn't difficult, and if
your web-broswer isn't listed below then you can probably figure-out how
to install the certificate just by clicking around a bit.
The client authentication certificate acts like a key, enabling you to access a particular website. If you try to access the website without having the key installed, then you will receive an error message. But once you've imported the client authentication certificate into your browser you should be able to access the website. Your browser may flash a confirmation menu (as you first connect to the website) allowing you to select which key to use in order to unlock the webpage; if this happens then just select the key from the menu, and then you should then be able to access the webpage.
The steps listed above outlined the general process, below we provide detailed step-by-step instructions showing how to install a client authentication certificate into several popular web browsers:
Chrome
Here are step-by-step instructions for installing a Client Authentication Certificate into Google's Chrome web-browser.
Step 1
Start Chrome, and then open the menu at the top right corner and select Settings.
Step 2
In the window that appears select Privacy and Security. This will bring up a list of options, select Security.
Step 3
Scroll down to the Advanced section and select the Manage certificates option.
Step 4
The Certificates window will appear. Be sure that the Personal tab is selected. Select Import.
Step 5
Click Next.
Step 6
Select Browse, and select the .p12
file (the certificate file).
Step 7
You may be asked to enter the password for the .p12
certificate - if your system administrator did not
give you a password with the key (i.e., if the certificate has no password) then just leave the password field empty.
Also, select Mark this key as exportable, and Include all extended properties.
Click Next.
FireFox
Here are step-by-step instructions for installing a Client Authentication Certificate into the Firefox web-browser.
Step 1
Start Firefox, and then open the menu at the top right corner and select Settings.
Step 2
In the window that appears select Privacy & Security. This will bring up a list of options, scroll down and find the Certificates section. Select View Certificates.
Step 3
The Certificate Manager window will appear. Be sure that the Your Certificates tab is selected. Select Import.
Step 4
Find and open the .p12
file (the certificate file).
Step 5
You may be asked to enter the password for the .p12
certificate - if your system administrator did not
give you a password with the key (i.e., if the certificate has no password) then just leave the password field empty.
Click Ok.
Microsoft Edge
Here are step-by-step instructions for installing a Client Authentication Certificate into the Microsoft Edge web-browser.
Step 1
Open Microsoft Edge, and then open the menu at the top right corner and select Settings.
Step 2
Select Privacy, search and services, and the choose Manage certificates as shown below.
Step 3
Click Import to start the Certificate Import Wizard.
Step 4
Click Next, to continue.
Step 5
Browse to your downloaded Certificate .P12
file and then click Next.
Note: When browsing to your PFX file, make sure the file type in the bottom-right of the browse window is changed to Personal Information Exchange, otherwise it will not find your file.
Step 6
You may be asked to enter the password for the .p12
certificate - if your system administrator did not
give you a password with the key (i.e., if the certificate has no password) then just leave the password field empty.
Also, select Mark this key as exportable, and Include all extended properties.
Click Next.
Step 7
Let the Certificate Import Wizard determine the best place for the installation. Click Next.
Note: In some instances, the Certificate may not install under Personal. If this is the case, then manually select the second option when rerunning the installation.
Step 8
Click Next. Then, click Finish.
The Certificate is now installed and will be used for secure client authentication.
Step 9
Safari
Many common web browsers, such as Firefox or Chrome, remember cryptographic keys and
Certificates by storing them in an internal “key store”. Safari on Mac OSX presents
a slightly different situation than the other browsers described above, because macs
have a centralised key-store provided by the operating system. So the process of
installing a client certificate for use in Safari, amounts to importing the .p12
certificate file into the KeyChain Access tool, rather than directly into the browser.
The other browsers such as Firefox or Chrome can optionally use the Mac key store
too (when they are running on OSX), but Safari must store its keys and certificates
in the KeyChain key store.
NOTE: There is a minor bug in the way that Safari applies client certificates to websites, but there is a work-around for the bug that is described below (starting in Step 10). To get things working smoothly you must follow all of the steps listed below.
To install a Client Authentication Certificate into the Mac OSX key store, so it can be used by Apple's Safari web-browser, we use the Keychain Access utility:
Step 1
Save the Client Authentication Certificate somewhere on your Mac, it is a file with
a .p12
extension.
Step 2
Double-click on the Client Authentication Certificate file to open it, and you will
be asked for the certificate’s password. Enter the password that your system
administrator gave you when they gave you the .p12
certificate file.
NOTE:
If you are unable to open the .p12
file by double-clicking on it (if the
KeyChain Access application doesn't automatically start when you double-click
the .p12
file) then you can
import the certificate manually by following these instructions.
Step 3
The Keychain Access application should open, and the certificate should appear in the login keychain, under My Certificates. Note that you may have to click on login and My Certificates in order to find the key you just added to the key store.
NOTE: Just leave the Keychain Access app running for now.
Step 4
Next, start Safari.
Step 5
The point of installing the certificate is to allow you to access a certain website. Use Safari to go to that website now. You can either follow the link provided by your system administrator, or type the URL of the website into Safari’s Address Bar and press Enter.
Step 6
You may be asked to enter your password (or maybe not – don’t worry if you aren’t asked to sign in).
NOTE: The password that Safari is asking for, the "privateKey" password, is the same password you use to login to you Mac.
Enter the password you use to log yourself into your Mac and then click the Always Allow button. (If you click Allow rather than Always Allow, then Safari may pester you to keep signing in over and over again.)
Step 7
If everything has gone well then Safari will confirm that you want to use the new Client Authentication Certificate that you just installed, just click Continue:
Step 8
You may be asked a second or third time whether you want to use the Certificate. Just keep on clicking Continue until Safari stops asking (this may take a bit).
Step 9
Close Safari.
IMPORTANT: Don’t just close Safari’s window (leaving it running in the background), actually use the File menu and select Quit Safari to ensure that Safari is no longer running:
Step 10
By now everything should be working! However, there is a bug in Safari which means that it’s going to keep asking you to confirm the certificate every time you go to a new location within the website, which can quickly get very annoying.
Just to be clear – every time you first open the website in Safari, you will be asked to confirm the certificate, which is fine, but with a little tweak you should be able to dramatically reduce the number of additional times that Safari subsequently pesters you regarding the certificate.
Switch back to the Keychain Access application (it should still be running because we left it running after Step 3.
In Keychain Access, click on All Items:
Search for an item or two that are called identity preference items, as displayed in the Kind column:
Here’s a close-up:
The two records that you are looking for are named:
http://your.website.com (com.apple.Safari), and,
https://your.website.com (com.apple.Safari)
NOTE: The difference between these two records is the protocol name, HTTP versus HTTPS (note the presence or absence of the S). Both records may appear, but if only the HTTPS record is there then that’s fine, don’t worry if the HTTP record is missing.
Step 11
Double click on the identity preference record named:
https://your.website.com (com.apple.Safari),
and a dialog box like this should appear:
Step 12
Insert one slash character, “/”, right at the end of the URL in both the Name and Where fields, like this:
The spacing has to be exactly like this, here’s a close-up:
Click “Save Changes”.
Step 13
Make the same change to the HTTP identity preference record, if it exists. Don’t worry about it if that record isn’t there.
Step 14
Close the Keychain Access app.
That is it! You are done!
Ongoing Problems with Safari?
Hopefully you can now open your.website.com in Safari, and it will confirm once that you wish to use the certificate, after which it will behave just like any other website.
It’s a shame about the bug in Safari whereby the identity preference records that it automatically creates don’t include the necessary slash, but at least Step 12 gets things working. If Safari continues to excessively hound you to confirm the certificate as you surf around your website, then double check that you added the slash in the correct spot, right at the end of the URL your.website.com/ with no space before it, and with a single space after the slash before the words (com.apple.safari), in those “identity preference” records in the Keychain.
If you keep being hounded to sign in with a dialog that looks like the one in Step 6, then remember to click on Always Allow.
Attributions
Some of the contents of this page were aquired, with thanks, from the following online information sources, under Fair Use provisions:
Author
Questions, comments, and suggestions may be directed to the author of this article, at: