I was wondering if there currently exists a Content Management System that supports PKI and client certificates for website authentication instead of username/passwords. If not, what's a good place to start on developing a site that uses this authentication scheme? Is it possible with Python and Django?
Asked
Active
Viewed 5,035 times
5
-
There might be. What has your research shown? – Ramhound Apr 11 '14 at 04:52
-
From my experience, the only sites I've come across that used client certificates for authentication were the websites of Certificate Authorities. I'm guessing the average user will face a usability problem with a client cert. It's drastically different from what they are use to: usernames and passwords. Plus, client certs can be stolen from the browser via attacks like XSS. – Python Novice Apr 11 '14 at 05:01
-
Content Management Systems are used in places other than the public Internet. PKI authentication is used on corporate networks; in some the only thing a username/password will get you is a domain login to your workstation, everything else (including SSH access to administer cloud resources) requires the employee's client cert. MUCH more convenient than having dozens of passwords for dozens of enterprise applications. – Dave Apr 12 '16 at 15:15
1 Answers
5
A simple Google search on "django client certificate" reveals this, and this, and this, which all answer to your question as: yes, Django can work with certificate-based client authentication.
People don't do that often in practice, because client certificates work only if you can arrange for clients to have certificates, basically meaning that you must manage your own PKI. Software for running your own PKI is available (e.g. EJBCA), but PKI management requires strict adherence to clearly defined procedures, which will take you time; the long-term cost of a custom PKI is very often underestimated (that is, if you want to do it properly).
Client certificates will also inconvenience users, because they won't easily (or at all) transfer their certificates to their tablet or smartphone or even alternate laptop, the way they do with passwords. None of this is really blocking, but it explains the rarity of client certificate deployment.
-
3They are however an excellent way to secure administrative user access. – mikebabcock Dec 18 '14 at 22:28