How Chrome browser know which client certificate to prompt for a

site?
Asked 5 years, 1 month ago Active 10 months ago Viewed 50k times

I'm setting up certificate authentication for my project using Tomcat. It works ok for
command line client such as cURL.
28 I have many client certificates installed in Chrome browser. Some are using to connect to
my site, others are used for different purposes and not relate to my project.
10 Every time I connect to my site, Chrome presents a list of client certificates for choosing.
These are exactly the certificates that I installed and not others. My questions are:
1. How Chrome knows which client certificates are for a site to present for choosing?
2. Tomcat stores those client certificates in its trust store. During
SSL hanshake, Tomcat
will request for client certificate. Does it
request for some specific certificates that it
knows in its trusted
store so that Chrome knows what to show?
google-chrome authentication ssl tomcat7 client-certificates

Share Follow asked Nov 28 '16 at 15:14

System
283 1 3 4

1 Answer Active Oldest Votes

The client certificate authentication is ruled in the handshake phase of the SSL/TLS
protocol implemented by browsers.
36 1. If the server requires a client certificate authentication (it is
optional), send a message
to client with the list of the accepted
certificate authorities (CA). Can be void if server
accepts any
certificate.
2. The client select the certificates installed in client keystore which have been issued by
any of these CA's, and present the list to user. In case of Chrome, the browser selects
the certificates installed by user from the operating system's Key Store.
3. User choose a certificate, and the client performs a signature with the private key of
Your privacy
the certificate over a known data interchanged during handshake.
By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose
information in accordancewithwithprivate
Only certificates our Cookie Policy
key can be. selected during step 2. This is the reason by with
the allbrowser
Accept cookies
does Customize
not selectsettings
the certificates of trusted CA's installed in your device. You do
not own the private key
 Share Follow edited Feb 16 '21 at 8:58 answered Nov 30 '16 at 8:14
Aaron Nagao pedrofb
11 3 32.9k 4 76 127
1 I think 1 & 2 answered my questions. I also investigates and that's true so accept this as the
solution. Thanks. –  System Dec 9 '16 at 7:59
Thanks. In my case, I have 2 client certificates. When I visit some sites, chrome's dialog box allows
me to choose either one. When I visit other sites, chrome's dialog box only shows me one. I was
wondering why the other was omitted. The CA list (#1/#2) explanation fits the behavior, so it must
be true! :-) – dashrb Apr 4 '17 at 13:23
On step two, can you provide more details what is this "known data interchanged" during
handshake? – Carlos Eduardo Ki Lee Dec 12 '19 at 17:56
1 @CarlosEduardoKiLee, see tools.ietf.org/html/rfc5246#section-7.4.8 Client digitally signs all
previous handshake messages sent or received – pedrofb Dec 12 '19 at 19:15

Your privacy
By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose
information in accordance with our Cookie Policy.
Accept all cookies Customize settings