Client Authentication Certificates
A Note of Clarification:
There are two sorts of cryptographic certificates that are typically used
with web-browsers, and their names are superficially similar, so just to
avoid confusion:
Certificate Authority Certificates
(the purpose of which is to authenticate a server to the
user)
should not be confused with
Client Authentication Certificates (the purpose
of which is to authenticate the user to the server).
This page is about Client Authentication Certificates.
A Brief Introduction to Client Authentication Certificates
Client Certificates are cryptographic keys that some websites use to authenticate users. The basic idea is that rather than users having to remember and enter a user ID and password combination to authenticate themselves, instead, a cryptographic key can be installed into their web-browser that uniquely identifies them.
The advantages of client athentication certificates are:
-
The user does not have to remember a user ID and password because their browser remembers the cryptographic keys (although passwords can optionally be used if the client keys are to be used on shared or public computers).
-
Client authentication certificates are more secure than passwords, because typical hacking techniques such as password guessing, or "phishing" for a user's password, don't work on them.
-
Client authentication certificates use reliable hard cryptography, so they are unbreakable by contemporary computers.
The disadvantage of cryptographic client authentication certificates is that they need to be installed into one's browser. Installing a client key is not difficult, although it is something that most computer users are not familiar with.
This page provides step-by-step tutorials describing how to install a client authentication certificate into the most commonly used browsers.
Installing a Client Authentication Certificate into your Browser
The process for installing a Client Authentication Certificate into your web-browser is basically the same regardless of which browser you are using:
The system administrator (of the website you are trying to connect to)
will provide the actual certificate for you - it will be a small file usually
with a .p12 extension. Sometimes the .p12 file may be protected
by a password (your system administrator will tell you) and if there
is a password then your browser will ask you for it, but if there is no
password and yet your browser asks for one, then just leave the
password field blank.
In most web-browsers you can open Preferences or Settings, and
find a Privacy or Security option in there somewhere, and among
the security settings there will be an option named something like
Manage Certificates or View Certificates. Once inside the
certificate management facility there will be a button allowing you to
Import the .p12 file. The whole process isn't difficult, and if
your web-broswer isn't listed below then you can probably figure-out how
to install the certificate just by clicking around a bit.
The client authentication certificate acts like a key, enabling you to access a particular website. If you try to access the website without having the key installed, then you will receive an error message. But once you have imported the client authentication certificate into your browser you should be able to access the website. Your browser may flash a confirmation menu (as you first connect to the website) allowing you to select which key to use in order to unlock the webpage; if this happens then just select the key from the menu, and then you should then be able to access the webpage.
The steps listed above outlined the general process, below we provide detailed step-by-step instructions showing how to install a client authentication certificate into several popular web browsers:
Chrome
Here are step-by-step instructions for installing a Client Authentication Certificate into Google's Chrome web-browser.
Step 1
Start Chrome, and then open the menu at the top right corner and select Settings.
Step 2
In the window that appears select Privacy and Security. This will bring up a list of options, select Security.
Step 3
Scroll down to the Advanced section and select the Manage certificates option.
Step 4
The Certificates window will appear. Be sure that the Personal tab is selected. Select Import.
Step 5
Click Next.
Step 6
Select Browse, and select the .p12 file (the certificate file).
Step 7
You may be asked to enter the password for the .p12 certificate - if your system administrator did not
give you a password with the key (i.e., if the certificate has no password) then just leave the password field empty.
Also, select Mark this key as exportable, and Include all extended properties.
Click Next.
FireFox
Here are step-by-step instructions for installing a Client Authentication Certificate into the Firefox web-browser.
Step 1
Start Firefox, and then open the menu at the top right corner and select Settings.
Step 2
In the window that appears select Privacy & Security. This will bring up a list of options, scroll down and find the Certificates section. Select View Certificates.
Step 3
The Certificate Manager window will appear. Be sure that the Your Certificates tab is selected. Select Import.
Step 4
Find and open the .p12 file (the certificate file).
Step 5
You may be asked to enter the password for the .p12 certificate - if your system administrator did not
give you a password with the key (i.e., if the certificate has no password) then just leave the password field empty.
Click Ok.
Microsoft Edge
Here are step-by-step instructions for installing a Client Authentication Certificate into the Microsoft Edge web-browser.
Step 1
Open Microsoft Edge, and then open the menu at the top right corner and select Settings.
Step 2
Select Privacy, search and services, and the choose Manage certificates as shown below.
Step 3
Click Import to start the Certificate Import Wizard.
Step 4
Click Next, to continue.
Step 5
Browse to your downloaded Certificate .P12 file and then click Next.
Note: When browsing to your PFX file, make sure the file type in the bottom-right of the browse window is changed to Personal Information Exchange, otherwise it will not find your file.
Step 6
You may be asked to enter the password for the .p12 certificate - if your system administrator did not
give you a password with the key (i.e., if the certificate has no password) then just leave the password field empty.
Also, select Mark this key as exportable, and Include all extended properties.
Click Next.
Step 7
Let the Certificate Import Wizard determine the best place for the installation. Click Next.
Note: In some instances, the Certificate may not install under Personal. If this is the case, then manually select the second option when rerunning the installation.
Step 8
Click Next. Then, click Finish.
The Certificate is now installed and will be used for secure client authentication.
Step 9
Safari
Many common web browsers, such as Firefox or Chrome, store cryptographic keys and
Certificates in an internal “key store” specific to those browsers, (and steps for
adding a certificate to those browsers appears above). Safari on Mac OSX presents
a slightly different situation than the other browsers described above, because Macs
have a centralised key-store provided by the operating system. So the process of
installing a client certificate for use in Safari amounts to importing the .p12
certificate file into the KeyChain Access tool, rather than directly into the browser.
The other browsers such as Firefox or Chrome can optionally use the Mac key store
too (when they are running on OSX), but Safari always stores its keys and certificates
in the system KeyChain key store.
NOTE: There is a minor bug in the way that Safari applies client certificates to websites, but there is a work-around for the bug that is described below (starting in Step 10). To get things working smoothly you must follow all of the steps listed below.
To install a Client Authentication Certificate into the Mac OSX key store, so it can be used by Apple's Safari web-browser, we use the Keychain Access utility:
Step 1
Save the Client Authentication Certificate somewhere on your Mac, it is a file with
a .p12 extension.
Step 2
Open the Keychain Access application using whatever means you usually use to start applications on your Mac. For instance, the Keychain Access application can be found in the Launchpad, or in the Applications directory, within the Other (or Utilities) subfolder (Apple renamed “Utilities” to “Other” in more recent versions of Mac OSX, so the name of that folder depends upon the version of OSX on your computer).
So for example, in the Finder, in the left-hand column under Favorites, click Applications, then find Utilities or Other, and then double-click to start the Keychain Access app.
Step 3
In Keychain Access, under the File menu, select Import Items.
In the file search window that appears, find the .p12 certificate file
that you downloaded in Step 1,
and in the Destination Keychain drop-down list select login,
then click Open. If the Destination Keychain list is not
visible then you may need to click on a button labelled Options
first.
NOTE: It is very important that the certificate be added to the login keychain, so be sure to set the Destination Keychain to login.
You will be asked to enter the password for the .p12 certificate - your system
administrator will have given you the password with the certificate file.
Enter the password and click OK.
Step 4
Once you have reached this step, the certificate should appear as it does in this figure:
NOTE: The certificate must be located in the login keychain, under My Certificates as indicated by the red arrows. You may have to click on login and My Certificates in order to find the certificate.
Sometimes certificates have a habit of loading into the System keychain (or other keychains besides login) especially if you have accidentally double-clicked on the certificate file in Step 1. If the certificate is in another area of the keychain then you must delete it and start again.
You can delete the certificate by right-clicking on it and selecting Delete. Sometimes the certificate will appear within a folder (you can see the > carrot to the left of the certificate name annual25 in the figure), and in this case you may have to open the folder and delete the certificate within.
Just leave Keychain Access running for now, and proceed with Step 5.
Step 5
The point of installing the certificate is to allow you to access a certain website - your system administrator will have given you the address of that website.
So start Safari:
And using Safari go to that website now. You can either follow the link provided by your system administrator, or type the address of the website into Safari’s Address Bar and press Enter.
Step 6
You may be asked to enter your password (or maybe not – don’t worry if you aren’t asked to sign in).
NOTE: The password that Safari is asking for, the "privateKey" password, is the same password you use to login to your Mac.
So enter your password and then click the Always Allow button. (If you click Allow rather than Always Allow, then Safari may pester you to keep signing in over and over again.)
Step 7
If everything has gone well then Safari will query you to confirm that you want to use the new Client Authentication Certificate that you just installed, just click Continue:
Step 8
You may be asked a second or third time whether you want to use the Certificate. Just keep on clicking Continue until Safari stops asking (this may take a bit).
Step 9
Close Safari.
IMPORTANT: Don’t just close Safari’s window (leaving it running in the background), actually use the File menu and select Quit Safari to ensure that Safari is no longer running:
Step 10
By now everything should be working! However, there is a bug in Safari which means that it is going to keep asking you to confirm the certificate every time you go to a new location within the website, which can quickly get very annoying.
Just to be clear – every time you first open the website in Safari, you will be asked to confirm the certificate, which is fine, but with a little tweak you should be able to dramatically reduce the number of additional times that Safari subsequently pesters you regarding the certificate.
Switch back to the Keychain Access application (it should still be running because we left it running after Step 4.
In Keychain Access, click on All Items:
Search for an item or two that are called identity preference items, as displayed in the Kind column:
NOTE: In these images we have used the website your.website.com for demonstration purposes, the actual website name that you are looking for is the one given to you by your system administator.
Here’s a close-up:
The two records that you are looking for are named:
http://your.website.com (com.apple.Safari), and,
https://your.website.com (com.apple.Safari)
The difference between these two records is the protocol name, HTTP versus HTTPS (note the presence or absence of the S). Both records may appear, but if only the HTTPS record is there then that is fine, don’t worry if the HTTP record is missing. Also remember that you are looking for the website name that your system administrator gave you, your.website.com is being used here as an example.
Step 11
Double click on the identity preference record named:
https://your.website.com (com.apple.Safari),
and a dialog box like this should appear:
Step 12
Insert one slash character, “/”, right at the end of the URL in both the Name and Where fields, like this:
The spacing has to be exactly like this, here’s a close-up:
Click “Save Changes”.
Step 13
Make the same change to the HTTP identity preference record, if it exists. Don’t worry about it if that record isn’t there.
Step 14
Close the Keychain Access app.
That is it! You are done!
Ongoing Problems with Safari?
Hopefully you can now open your.website.com in Safari, and it will confirm once that you wish to use the certificate, after which it will behave just like any other website.
It’s a shame about the bug in Safari whereby the identity preference records that it automatically creates don’t include the necessary slash, but at least Step 12 gets things working. If Safari continues to excessively hound you to confirm the certificate as you surf around your website, then double check that you added the slash in the correct spot, right at the end of the URL your.website.com/ with no space before it, and with a single space after the slash before the words (com.apple.safari), in those identity preference records in the Keychain.
If you keep being hounded to sign in with a dialog that looks like the one in Step 6, then remember to click on Always Allow.
If you continue to be pestered to login over and over again, and the problem is not what was described in the previous paragraph (resolvable by clicking on Always Allow) then the certificate may be installed into the wrong location within the Keychain Access keystore. The following figure shows how to find the certificate if it has been installed correctly - note the green arrows!
If you click on the login keychain and look under My Certificates, and the certificate does not appear to be located there, then try looking under the System keychain (the red arrow). The System keychain is the wrong location - if the certificate has somehow been installed into System then you must delete it (by right-clicking and selecting Delete, noting that you may have to open the folder (by clicking on the > symbol pointed to by the blue arrow) and deleting the key appearing within, and then re-install the certificate by following the instructions again from Step 1.
Attributions
Some of the contents of this page were aquired, with thanks, from the following online information sources, under Fair Use provisions:
Author
Questions, comments, and suggestions may be directed to the author of this article, at:
