validate x509 client certificate

Question

I am working on a login page using spring security. The page need to provide an option for user to use their certificate instead of username and password. However I am stuck in following scenarios :

Say you have a certificate signed by XYZ company installed in your browser. Now server (trusted XYZ) wanted to validate the certificate... but questions are :

Q1. How can server 'request' browser to provide "the right certificate" (assuming you have more than one certificate installed in your browser)?

Q2. Is it possible to have a button on the login page for user to send his certificate only when he click on the button?

Q3. Say the server received your certificate, can the server say "yes, you have proof who you said you are" simply by looking into the certificate chain (signed by XYZ company)?

Thanks,

From a security newbie :)

Answer 1

This is possible. All you'd have to do would be to setup an ssl site with client certificates required. Browsers support this out of the box, most present an internal cert store, ie shows a user cert store from the os. You should consult your server framework docs on how to turn on the client cert requirement on the ssl connection.

As for q2, you could have two websites, your app and your auth provider. The app shows the button and this redirects to your auth provider which requires the client certificate. Then, the auth provider uses any sso protocol (oauth2, saml) to return the user identity to the application.

As for cert validation, you could either validate the chain or have a mapping between usernames and cert thumbprints at the server side.