Access Keys:
Skip to content (Access Key - 0)

Check MIT Certificates on a private web server

  • I have a web server. How can I authenticate clients based on certificates?
  • I want to know when someone has an MIT web certificate.
Advisory
While certificate-based authentication is still used on some older servers at MIT, Touchstone-based authentication is more widely supported on more modern servers. If you're not sure which is right for you, please contact the IS&T Service Desk.

On this page:

Answer

This is an advanced topic that is outside of what the IS&T Help Desk can support. The basic idea of the answer is that you need two things:

  • Your webserver needs to have a server certificate, which will allow it to serve HTTPS encrypted web pages. You have multiple options for how to get a server certificate:
    • You may create a self-signed certificate; clients visiting your site will see a prominent warning when they first use SSL, so this is not suitable for production use, but is helpful for testing configurations.
    • You may request a certificate via MIT's InCommon site license. This will give you a certificate that will be trusted by most default configurations.
    • You may request a certificate via MIT's own CA authority; since 2012, this is depreciated, but available for some very limited cases.
  • Your webserver needs a copy of the "Client CA v1" public key, which it can use to verify whether visitors have proper MIT certificates.

Server certificate

Your server certificate does not need to be MIT-signed, but using an MIT-signed one is a good idea for MIT sites.

If your server is in the mit.edu domain, you can get an official MIT-signed server certificate by generating a Certificate Signing Request (CSR), and emailing the CSR to mitcert@mit.edu.

Verify whether visitors have MIT certificates

To verify MIT certificates, your server needs to check to see whether the visitors certificate was created by the "Client CA v1". You will need the public key of this CA:

Client CA v1 https://web.mit.edu/apache-ssl/certificates/mitCAclient.pem

For the apache web server, you will need use this file in conjunction with the SSLVerifyClient require, SSLVerifyDepth, and SSLCACertificateFile apache options.

Touchstone

Installing and Configuring Shibboleth 2.x on Mac OS X 10.6.x Server

Further resources

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

April 01, 2020

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
certificates certificates Delete
webpage webpage Delete
private private Delete
webserver webserver Delete
c-web-publishing c-web-publishing Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki