Client Authentication

Doug Hardie bc979 at
Sun Mar 24 08:16:37 UTC 2013

On 24 March 2013, at 01:03, CeDeROM <cederom at> wrote:

> Why don't you just use PKI for authentication (you can generate your
> own certificates)? You can easily upload keys/certificated to client
> machines (PC, Android, Apple, ...). That should work :-)

Thats exactly what I have been testing.  Its easy in concept, but there are issues in the details.  Once the certificate is loaded in a Mac and the password entered, its available for anyone to use thereafter.  You actually have to remove the certificate from the keychain to disable it.  Not a great approach for shared computers.  Most users will not know how to remove it properly.  I don't know about PCs yet though.  In addition there are possible issues with mail clients.  I have not tried them yet.  It all depends if they can handle p12 format certificates.  Pem format certificates must have the private key in plain format which renders them completely insecure.

Then there still is the issue about Safari (at least) not handling the no certificate case properly.

-- Doug

More information about the freebsd-questions mailing list