This project is not covered by Drupal’s security advisory policy.
This module is for managing SSL/TLS client certificates to use for login or part of a multi-factor login strategy based on rules and gate-module to improve login security.
This module is open for usage with any client certificates if it's selfsigned or verified by a cerification authority. But it's developed with CAcert Community products (see CAcert section below).
Concept and differences to "certificatelogin"
certificatelogin provides a simple direct login functionality for SSL/TLS client certificates. It's saving only one certificate attribute in auth table and provides user generation based on certificate information.
The concept of the clientcert module is to be more flexible. The flexibility is based on rules and fieldable entities to store certificate information. If you really want to create users with it you can create a rule. But there are more possibilities like multi-faktor login and in future SMIME mail encryption for outgoing mails like the OpenPGP module.
Because everything will be based on rules you can create individual security strategies like users with admin role have to use a certificate and other users can decide.
Current features
- Managing SSL/TLS client certificates with additional information as fieldable entities.
- Manual adding of certificates in PEM format for later check by server or direct adding active browser certificate.
- Login with SSL/TLS client certificate via Rules with default settings for rules.
- Many certificate meta data provided by the webserver (if correct configured) can be used with rules especially the verification information.
Sample snippit of additional of Apache vhost configuration (development is done with Apache webserver)
<Location /clientcert/require>
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
</Location>
Planned features
- S/MIME E-Mail encryption.
Dependencies
CAcert
This module was developed to provide offer users of the CAcert-Website (http://cacert.eu/) a possibility to login with their CAcert client certificates. This certification authority (CA) is driven by a community and its "Web of Trust" (WOT). Some people know CAcert for Server Certificates but the Client Certificates can be used for ID check. There are some additional services planned in the CAcert Community which we also want to integrate in this module.
concept, development and maintenance
The module is developed and maintained by Carsten Logemann (Company: paratio.com e.K.)
Carsten Logemann is part of the CAcert community and is voluntary working on this module and the website cacert.eu
Supporting organizations:
first development
Maintenance
Project information
- Project categories: Automation, Security, Access control
- Created by c-logemann on , updated
This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
