[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Handle-info] Authentication using existing client certificates

That's correct.  The handle server uses the client side certificate as a way to associate a handle identity and public key with the client.  The handle identity is encoded into the UID component of the certificate subject, although if there is no UID component, the CN component could be used instead.  As usual for handle server authentication, the handle identity should refer to an HS_PUBKEY value in a handle record, where the public key must match the public key in the certificate.

Robert

> On Feb 25, 2020, at 5:16 AM, Weng, Franziska <fweng@geomar.de> wrote:
> 
> Hi Robert,
> 
> thank you for your quick response. Is my understanding correct, that the handle server always uses the given UID information (index of public key or certificate entry:prefix/suffix) to look up the public key or certificate and to check if the public key or certificate referenced by the UID matches the provided private key?
> 
> Best regards
> 
> Franziska
> 
> 
> Am 24.02.20 um 16:56 schrieb Robert R Tupelo-Schneck:
>> I'm afraid there's no way to configure the handle server to accept your client certificates directly.
>> 
>> You could get the public key from your client certificate, create a handle with an HS_PUBKEY value with that public key, and create a new client certificate using the same keys and the same CN but also having a UID.  Let us know if you want to do that and need assistance.
>> 
>> With more effort, you could write an authenticating proxy to the handle server, which accepts your client certificate and then connects to the handle server using some other authentication.
>> 
>> Robert
>> 
>>> On Feb 24, 2020, at 10:43 AM, Weng, Franziska <fweng@geomar.de> wrote:
>>> 
>>> Hi,
>>> 
>>> we would like to use existing client certificates (x509) for authentication instead of creating new certificates (like described here http://www.handle.net/mail-archive/handle-info/msg00816.html). Our existing client certificates contain CN in the form of /CN=Firstname Lastname (space between firstname and lastname!). UID is not used. How can we achieve that we can authenticate on the web interface of the handle server using these as client certificates?
>>> 
>>> Best regards
>>> 
>>> Franziska
>>> 
>>> -- 
>>> Franziska Weng
>>> Information, Data and Computing Centre
>>> GEOMAR
>>> Helmholtz Centre for Ocean Research Kiel
>>> Wischhofstr. 1-3
>>> D-24148 Kiel, Germany
>>> 
>>> Room: 01/111 (Entrance 2)
>>> Tel: +49 (0)431 / 600-2173
>>> E-Mail:fweng@geomar.de
>>> https://www.geomar.de
>>> 
>>> 
>>> _______________________________________________
>>> Handle-Info mailing list
>>> Handle-Info@cnri.reston.va.us
>>> http://www.handle.net/mailman/listinfo/handle-info
> 
> -- 
> Franziska Weng
> Information, Data and Computing Centre
> GEOMAR
> Helmholtz Centre for Ocean Research Kiel
> Wischhofstr. 1-3
> D-24148 Kiel, Germany
> 
> Room: 01/111 (Entrance 2)
> Tel: +49 (0)431 / 600-2173
> E-Mail: fweng@geomar.de
> https://www.geomar.de
> 
> 
> _______________________________________________
> Handle-Info mailing list
> Handle-Info@cnri.reston.va.us
> http://www.handle.net/mailman/listinfo/handle-info

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info