0

I am the owner of a website on an intranet and I want to reject users with invalid certificate, (for instance if a user X does not have the dedicated certificate installed on his machine he will not be allowed to access my website) :

enter image description here

Is there a way to detect (with javascript) if the certificate is invalid on the client side ?

Mehdi Souregi
  • 3,153
  • 5
  • 36
  • 53
  • Maybe make an AJAX request? – Jonas Wilms Apr 05 '18 at 14:56
  • yes but how can I know if the certificate is invalid before making an AJAX request ? – Mehdi Souregi Apr 05 '18 at 14:57
  • There is no real way to do it. I am sure if you search stackoverflow you will find common questions with answers with iframes, xmlhttp calls, websockets, images, etc. – epascarello Apr 05 '18 at 14:57
  • 1
    Possible duplicate of [Check in Javascript if a SSL Certificate is valid](https://stackoverflow.com/questions/2618944/check-in-javascript-if-a-ssl-certificate-is-valid) – Pete Apr 05 '18 at 15:05
  • 1
    What you are talking about is simple mutual TLS authentication. Client authenticates on server with his client certificate. If server accepts it, then client is legitimate. – Crypt32 Apr 05 '18 at 15:10

1 Answers1

0

What you are trying to do is fundamentally incorrect. The certificate is requested from the client to the server and the server sends its public key. A session key is then created on the client side to setup the asymm encryption.

The certificate on the web server must be signed by a trusted CA (this can be added to the client side as well). Basically the client has no control over which certificate it uses, the server will determine that.

fencepencil
  • 397
  • 3
  • 8