Web based login using ssl public/private key?

Question

Is it possible to create a login process that requires a public/private key through a web browser? The public key would be stored on the server and the private key would be

Answer 1

Client certificates are the answer. Most/All browsers import these client certificates as PKCS#12 (.p12, .pfk).

You can convert an existing x509 certificate to a PKCS#12 file with the public key (.crt), private key (.key) and CA certificate (.crt). You can do this with OpenSSL using the following command:

openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile ca.crt

If you self-sign your certificates it's important to make sure the certificate serial is different than other certificates. If they are the same you can experience errors trying to import the .p12 file (So watch out for -set_serial in openssl examples).

Unfortunately the only cross-platform way to make certificates mobile/removable is to use a smart card (using PKCS#11).

On Mac OS X Safari and Chrome access their certificates from the keychain. You can actually create a custom keychain on a USB flash drive (File -> New Keychain). After you've created the keychain you can simply drag your .p12 file into your Keychain. What's nice about this is you can control access to what application has access to the certificates, and you can have the keychain itself lock after a certain amount of inactivity.

With Safari this works beautifully. If you unplug the flash drive it stops sending that certificate after a couple seconds. If you plug it back in, it picks it up immediately. If you lock the certificate with "Keychain Access" it asks for the password. It prevents you from properly ejecting the flash drive while in use, but after a minute Safari releases its lock.

Chrome is finicky. It caches the certificate for several minutes. If you lock the keychain, it continues to use the cached version. If you try to properly unmount the flash drive it will tell you Chrome is using it until you close it. If you plug the flash drive in while Chrome is running it won't pick it up.

So it appears that Safari is the only browser to support this. Firefox and Opera both have their own key-stores.

If you want to hide your custom keychain on the flash drive you can create an invisible folder be prefixing it with a period (like "./.keys"). When creating your keychain you can view the invisible folder in the dialog window by pressing Command+Shift+".".