this is my first post here in the area of security and encryption. I will try to be succinct, and let you know that I am not an expert in security.
Context: My client (visitor) has an X509 certificate installed on his machine, containing its public and private key. This certificate attests to who he is as a person.
Problem: I recently found that I can use mTLS to authenticate this client to my platform, and be assured that he has accessed. However, I have some questions about this process:
- Can I use this certificate to sign an arbitrary string? I saw for example the use of "session tickets", but I don't know if I could sign this way
- How can I retrieve the session data to save to the database that actually at this specific moment, that user accessed and authenticated to the platform? It would be more or less to create a signed snapshot of the request made, and guarantee for posterity that the holder of such certificate actually initiated that request
Thank you very much