We have a web app that uses client certificates for authentication, and this causes problems for users that have client certificates, but not ones for our app.
Indeed, they have a popup showing up asking to provide a certificate when the SSL connection is initiated, but they don't have a certificate for our app (they have some client certificates for another app), so they have to close the popup and log in with user and pass.
Is it possible to send to the user the CN that we need at SSL negociation, so that the browser does not show the popup if the user does not have a proper certificate?
I found out about SNI, which is kind of the same thing in reverse, for the server to choose which certificate to present to a client, but there does not seem to exist for the opposite.
Any idea?
Best Answer
The server can only request a client certificate or not and additionally provide a restriction which CA's are accepted as the issuer of the client certificate. What a client does with the information is fully up to the client, i.e. the server has no control over it.
There is no way for the server to only optionally request a certificate. The server can ignore if it got no certificate but the client does not know if the certificate is essential or not, it only sees that a certificate was requested. This means that client will ask for the certificate because the server asked the client to provide one.