Client certificate for browser authentication (X.509)

Airlock IAM can authenticate users by verifying X.509 client certificates.

A client certificate can be used in the SSL handshake by the browser to authenticate the user already while connecting to the server.

Client certificates can come in different forms:

  • from a smart card (used with a smart card reader)
  • from a USB or another device
  • as a software certificate installed in the browser (less secure)

Involved systems

Client certificate authentication
  • Browser: has access to client certificate and uses it in SSL handshake
  • Airlock Gateway (WAF): asks for client certificate in SSL handshakes
    • Verifies that client certificate issuer is trusted
    • Verifies signature on client certificate
    • Verifies validity period of client certificate
  • Airlock IAM: receives client certificate information from Airlock Gateway (WAF)
    • Verifies validity of client certificate with external CRL or OCSP server
    • Maps client certificate to a user or extracts user information from certificate
    • Takes into account the user account status (e.g. locked), the user's roles, and other information.