certificate for website login


Consider two-factor authentication instead

I’d recommend a two-factor authentication (2FA) system such as those from DuoSecurity, RSA, AlterEgo, Wikid Systems, and Signify instead of a client-side SSL certificate, because it requires little-to-no technical set up or education for your site’s visitors (and it’s more secure than relying on an SSL client certificate alone).

Instead of having to download and install a certificate, visitors can authenticate themselves by receiving a phone call or text message, by visiting a web page, or opening an app.

Client-side SSL certificates

If you’ve seen what the above companies have to offer and still wish to use client-side SSL certificates, CAcert.org offers this example of how they use mod-ssl under Apache with PHP to authenticate visitors based on client-side certificates:

Apache config

SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /etc/ssl/cacert.crt
SSLCertificateFile /etc/ssl/certs/cacert.crt
SSLCertificateKeyFile /etc/ssl/private/cacert.pem
SSLOptions +StdEnvVars

ServerName secure.cacert.org
DocumentRoot /www


if($_SERVER['HTTP_HOST'] == "secure.cacert.org") {
    $query = "select * from `users` where `email`='$_SERVER[SSL_CLIENT_S_DN_Email]'";
    $res = mysql_query($query);
    if(mysql_num_rows($res) > 0) {
        $_SESSION['profile']['loggedin'] = 1;
        header("location: https://secure.cacert.org/account.php");

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top