Which parts of the client certificate to use when uniquely identifying users?

Posted by miha on Stack Overflow See other posts from Stack Overflow or by miha
Published on 2011-03-13T16:06:13Z Indexed on 2011/03/13 16:10 UTC
Read the original article Hit count: 277

I'm designing a system where users will be able to register and afterward authenticate with client certificates in addition to username/password authentication.

The client certificates will have to be valid certificates issued by a configured list of certificate authorities and will be checked (validated) when presented.

In the registration phase, I need to store part(s) of the client certificate in a user repository (DB, LDAP, whatever) so that I can map the user who authenticates with client certificate to an internal "user".

One fairly obvious choice would be to use certificate fingerprint; But fingerprint itself is not enough, since collisions may occur (even though they're not probable), so we need to store additional information from the certificate. This SO question is also informative in this regard.

RFC 2459 defines (4.1.2.2) that certificate serial number must be unique within a given CA.

With all of this combined, I'm thinking of storing certificate serial number and certificate issuer for each registered user. Given that client certificates will be verified and valid, this should uniquely identify each client certificate. That way, even when client certificate is renewed, it would still be valid (serial number stays the same, and so does the issuer).

Did I miss something?

© Stack Overflow or respective owner

Related posts about security

Related posts about authentication