Using Web Resources with PKI Authentication
This page explains what you need to have and do to use Personal PKI certificates to gain access to PKI controlled Web sites. Personal certificates are an alternate way for a system to authenticate users. A PKI solution has the advantages of being directly supported by some web browsers and servers and it does not transmit passwords on the network to a server. To use these functions you need to have an PKI enabled web browser installed on your desktop computer. You also need a key pair and certificate containing the corresponding public key for yourself. The necessary certificates can be stored on your local machine's hard disk or removable hardware such as a smart card or a USB token. Web systems requiring PKI access control need to be programmed to use authentication information delivered through SSL.
Many web based publishers are interested in providing alternatives to account/password or Internet Protocol (IP) address based access control to their systems. Public Key based web site authentication/authorization is a replacement for Dartmouth's Kerberos/Sidecar system. Users are able to access a web resource from any address on the Internet. Web proxy servers and additional software are not needed. Instead you obtain a personal certificate and provide a password for the browser's certificate store when prompted. Obtaining a certificate is handled by visiting the enrollment web site and filling out the form, authenticating one time using your DND account and password.
To learn the basics of PKI authentication, read the following pages: PKI Background and Using PKI. For additional details see: More on Using Web Authentication.
1. Choose a web browser that supports client side certificates on your computer and operating system. Unfortunately Internet Explorer for the Macintosh does NOT support client certificates. For more information see: DND Enrollment.
2. Since your certificate is stored on the hard disk of the computer from which you obtain your certificate, you will need to use your certificate from this same computer. If you need to move your certificate to another computer see the Using PKI document. If you must use more than one computer and you can't move your certificate, you can obtain a second one. (Remember though that when you later start to use certificates for signing and encryption that you will need to keep track of which certicate was used. It will be simpler in the long run to try to move your certificate instead of re-enrolling. For instructions on moving keys see: Moving Keys and Certificates.
3. Choose a password for your Browser's certificate database or key store. The "Using PKI" web page provides some useful suggestions on passwords. Note that if you forget your password, you will have to obtain a new key pair and may not be able to decrypt messages to yourself that have been encrypted using your public key(s) and left in encrypted form in storage.
If you had set a password and have forgotten what it is see: Reset Passwords.
4. Obtain a Dartmouth College signed certificate. Go to DND Enrollment. Choose your Browser and OS from the list and follow the instructions. Fill in your DND name and password and accept the form's defaults.
5. To test access to a controlled web site with your certificate, visit the Test Your Certificates page.
6. To access a controlled web resource with your certificate, follow the same procedure after navigating to the site's client side SSL access URL. (The URL will begin with https instead of http.)
Dartmouth College PKI Lab
Last update: 7 January 2004