Product Documentation

    TLS ClientAuth with FIDO

    NOTE: Ransomware attacks - where malware infiltrate computers and networks, encrypt files and hold the company hostage until a ransom is paid - have skyrocketed in recent years. StrongKey offers a comprehensive solution that not only deters ransomware, but can reduce other risks, increase employee productivity and reduce costs for businesses.

    To learn more about how StrongKey's solution can protect your organization, please read the blog post by Arshad Noor (Founder/CTO at StrongKey):

    https://www.linkedin.com/pulse/path-deterring-ransomware-attacks-arshad-noor-vqdjc

    You can test the TLS ClientAuth + FIDO Demos at https://demo.strongkey.com

     

    PREREQUISITES

    • Browser – Though this has been tested with various browsers like Brave, Chrome, Firefox, Edge, Opera and Safari; we recommend using the current release of Firefox

    • FIDO Certified® FIDO Security Key (Level 2 and above) – This has been tested with the following Security keys, which support both FIDO and X.509 digital certificates:

      • Feitian BioPass FIDO2 Plus Key

      • GoTrust Idem Key

      • Yubico’s FIPS Certified Yubikey

    • Port: Internet access to connect to port 8282. Most enterprises will deny access to anything other than 443 for browser access; in such a situation, test this capability from outside your enterprise’s perimeter or request controlled access to https://demo.strongkey.com for ports 8282 and 443;

    • X509 Digital Certificates trusted by the Demo web applications. StrongKey has made two (2) such digital certificates with their private keys available in a PKCS#12 (aka PFX) file at StrongKey's SourceForge ClientAuth Directory

      • A valid user whose certificate will permit a successful TLS ClientAuth connection:

        • PKCS#12 filename: StrongKeyTLSClientAuthGoodUser009.p12

        • SHA256 digest: db075ba42c464063cd6d35a03c7e996693fcadf5380cf9f1db66deb700915093

      • A user with a revoked digital certificate; while this will load into the Security Key, it will fail the PKIX Validation test within the application:

        • Filename: StrongKeyTLSClientAuthBadUser003.p12

        • SHA256 digest: 4195218a90b96b7d9a464ff521829e0fed669e93a456f196a72c826c4eec44db

     

    Import the Digital Certificates into the Security Key or the browser:  

     

    Step 1: Do you have any of the following Security Keys that support X.509 digital certificates? If the answer is "Yes", please follow the links on how to import the digital certificates to the following Security Keys: 

     

    Step 2: If the answer to the above question is "No", you can still import the digital certificates to a browser and use any FIDO Certified® Security Key to test the TLS ClientAuth + FIDO enabled applications. 

     

     Browser
    Linux
    MacOS
    Windows
    Brave    
    Chrome
    		  
    Edge        
    Firefox        
    Opera  
    Safari   ✓   

     

    Test the TLS ClientAuth + FIDO enabled web applications

     

    Step 3: You can now test any of the three TLS ClientAuth + FIDO enabled web applications:

    1. Discover: A web application demonstrating how to authenticate users to the relying party's site without having the user provide their username - the browser and user's FIDO Authenticator negotiate the capability between them, and make the user experience seamless. 
    2. SKSO: StrongKey Sign-On (SKSO) is a purpose-built web application designed to support the registration and management of FIDO credentials with SKFS, as well as inter-operate with Citrix ADC and Citrix Gateway for single sign-on to Citrix environments using SAML Assertions.
    3. PKI2FIDO: A basic JAVA application demonstrating how users with X.509 digital certificates can strongly authenticate using TLS ClientAuth and then register a FIDO Security with SKFS.