Reputation: 227
How to support user-supplied SSL certificates in web app
I’m building a web application where users can create their own websites. Users have the option to point their own domain names at these sites. A prototype for the application already exists; Apache accepts requests on all hostnames and the actual domain mapping and resolution happen at the application level (a simple database lookup grabs the site that matches the requested hostname).
Where I’m stuck is how users’ SSL certificates might fit into this equation. What steps would I need to take to allow a user to upload their SSL certificate such that the application could successfully handle secure HTTP requests to their hostname? Is this even something the application alone could handle?
Upvotes: 1
Views: 108
Answers (2)
Reputation: 3034
The typical user, and IMHO even more the user's who are going to create a web site of this system as opposed to setting up their own WordPress or other site on their own server (or their own paid shared server hosting account), will have absolutely no idea how to setup a proper SSL certificate, so getting it to your securely so that you can install it wouldn't even be an issue because they will never get that far.
However, you should be able to use Let's Encrypt to do exactly what you need. As part of the process of adding a domain, once the domain is pointing to your server (the users will have to figure out how to do that with their domain registrar), you can create a Let's Encrypt certificate and validate it. My favorite web hosting company (I won't name it as that is not relevant - anyone can do this with some effort) provides this capability as part of their Control Panel. They also provide paid certificates with a few of the big issuers, as they have for many years, but for most small sites Let's Encrypt works very well and is totally free. The setup literally takes only a minute. The key is that you have to give the user an IP address or CNAME first so that they can point the domain. Once the domain is resolving to your server, you can get the Let's Encrypt certificate.
Upvotes: 0
Reputation: 170
I think you cannot handle this in your application alone. It's a CA problem, except you are an intermediate CA company, or you cannot get the user's domain SSL certificate and sign for user's domain.
Upvotes: 1
Related Questions
- Client authentication using self signed ssl certificate for nginx
- Store certificate securely in a web application and docker env
- SSL certificate for client
- SSL for statically served web application
- Azure Web App calling on-prem service with Self-Signed SSL Cert
- Authenticate user via Client Signed SSL Certificate in ASP.NET application
- Using client certificates in place of passwords on a public web app
- Using a server-side certificate for client-side authentication
- Customized certificates
- SSL Certificate for Web Application