I've read a lot of documentation but I don't find the concrete way to resolve my question, surely it's because there must be some concepts I have no clear, so I need someone who could put me on the right track.
I need to develop a PHP application that provides autentication but not in the usual way username+password. It should ask for a digital certificate that the user must have installed in his browser. The particular thing is that the certificate must be valid for an existing Certificate Authority (CA), that is, I don't want to create my own self-signed root certificate and then give the user his valid certificate for my root certificate; the user already has his own digital certificate (standard for a well-known CA in Spain: the FNMT) and that certificate will be the right one to autenticate in my PHP application.
So, the process will start when the user connects my application, the browser will ask him for a digital certificate (from the several installed in the browser), so he will accept and will send his certificate to my application, that will check if the user certificate is valid for the mentioned CA, and then allow the access.
I'm not sure if I've explained myself well, but I've searched documentation and made some tests, and I'm not clear about it:
- Must I install the CA root certificate in my Apache or is enough to validate the user certificate with the .pem file (from the CA) using openssl?
- Must I create a virtual server for my application so the connection is made through https:// or can my application ask the user for his certificate without need of https://?
The experts will see that I'm not clear at some key concepts, but in short all I need is that my application asks the user for his certificate, and then check that the certificate is correct for the CA.
Thanks and I wish somebody could help me!