I'm trying to login with a client certificate (a smartcard) but I'm a bit confused. The site needs to prompt me to select a certificate, but does not. I know how to set this up in Apache (SSLVerifyClient require) which works stand-alone, but that doesn't allow me to pass the cert to Drupal. Should this module do that for me? If not, do you have any suggestions?

Thanks

Comments

daleeman’s picture

daleeman CreditAttribution: daleeman commented
Status: Active » Closed (works as designed)

Nevermind; it works like it should, I think (though It doesn't do completely what I'm looking for). I'm hoping to find a way to validate a certificate outside of Apache. This means I need to somehow get PHP to send the certificate request to the browser rather than Apache. If anyone has any suggestions, let me know, please!!

flamingvan’s picture

flamingvan CreditAttribution: flamingvan commented
Status: Closed (works as designed) » Closed (fixed)

Sorry I don't know how to help with that. My knowledge of certificates is actually pretty limited at the moment.

daleeman’s picture

daleeman CreditAttribution: daleeman commented
Status: Closed (fixed) » Closed (works as designed)

I'm changing this to "By Design" as it works the way you intended for it to.

There are a few ways to do client certificate validation (my knowledge being limited to Apache). The first is to set an entire directory/webroot as requiring a certificate. However, if you want a landing page (not requiring a certificate) or to manage multiple directories that are not certificate-validated, this module wont really help you.

What I ended up doing was creating a new module to handle logins via a token. The token is created in a protected directory (requiring the access card), saved in the DB (relating the CN to the token), passed to Drupal, and verified in the DB. Once the login is verified in my module, I load the appropriate profile based on a map table (uid, CN). Sounds a little convoluted, but it works pretty well.

THIS module, however, reads the certificate data assuming it has already been sent...it just doesn't make the browser request it (which I have yet to figure out how you would do that).