Generating WebID?-watermarked X.509 Certificates for Use with ODS
Why use X.509 Certificates for Authentication?
Password-based authentication is inherently difficult to maintain, and presents an awkward option in the context of RESTful client/server interactions over local and wide area networks (LANs and WANs).
X.509 Certificates provide an elegant alternative which is more easily maintained, with a more streamlined user experience overall.
How are X.509 Certificates generated?
Thanks to its Virtuoso underpinnings, ODS possesses built-in functionality for generating X.509 Certificates with WebID? watermarks.
With ODS, certificate generation is typically done through a web browser. The specific process varies because each browser vendor has chosen their own approach to manage Certificates and their associated Private Keys.
Below, we cover certificate generation for several browsers, with keystore persistence handled variously by the host operating system or the Browser.
Certificate Generation & Keystore Management
Browser | Generation | OS-based Keystore | Browser-based Keystore | Notes |
---|---|---|---|---|
Chrome | <keygen/> |
Y | N | |
Firefox | <keygen/> |
N | Y | |
IE | |
Y | N | When using the user-friendly, Wizard-style interface of this plug-in, you (the issuer) must create a root CA certificate before generating any WebID?-watermarked certificates. |
Opera | <keygen/> |
N | Y | |
Safari | <keygen/> |
Y | N | |
Firefox | .NET-based browser plug-in | Y | N | |
IE | Windows-native generator | Y (Windows only) |
N | Best reserved for advanced users. |
X.509 Certificate Generation Methods
Using ODS
Using Virtuoso Certificate Generation Wizard (Windows only)
Using Windows-Native Keystore
- View Local Machine KeyStore and enable a snap-in.
- Generate Certificate Guide.
- Import the generated Cert in ODS by pasting its content in the X.509 Certificate text-area presented at User Profile -> Edit -> Security -> X.509 Certificates tab page.
Using openssl
You can manually use OpenSSL? to generate the certificate, and then import that Certificate to ODS through its PEM Import UI. Then, both Certificate and Private Key must be imported into the OS- and/or browser-based keystore. Finally, the Cert results in Public Key and WebID? relation in Profile Graph.
Basic Steps
- Generate x.509 Certificate.
- Set up HTTPS Support in Virtuoso.
- Configure your ODS Account to use the WebID Protocol.
- Test the setup.
Browser-Specific Notes
- Firefox: You must import the Private Key into the OS- and/or Browser-based keystore(s) using the relevant import mechanism.
- Opera: You must import the Private Key into the OS- and/or Browser-based keystore(s) using the relevant import mechanism.
OS-Specific Notes
- Mac OS X: OpenSSL? is not needed. The Mac-native keystore lets you create certificates, based on Apple's root CA.
- Windows: OpenSSL? is not needed. The Windows-native keystore lets you create certificates, based on Microsoft's root CA.
Related
- Power of WebID + OpenID Hybrid Protocol via Internet Explorer & Windows
- Using Safari to Demonstrate WebID + OpenID Hybrid Protocol Power!
- Safeguarding your Virtuoso-hosted SPARQL Endpoint
- SPARQL Endpoint Protection Methods Collection
- Virtuoso documentation
- Virtuoso Tips and Tricks Collection
- SPARUL over SPARQL using the http://cname:port/sparql-auth endpoint
- Virtuoso Authentication Server UI
- Manage a SPARQL-WebID based Endpoint
- WebID Protocol Support in OpenLink Data Spaces.
- Manage ODS Datadspaces Objects WebID? Access Control Lists (ACLs):
- Guide for Set up a X.509 certificate issuer and HTTPS listener and generate ODS user certificates
- Configure Virtuoso+ODS instance as an X.509 Certificate Authority and HTTPS listener
- Configure Virtuoso instance as an X.509 Certificate Authority and HTTPS listener
- Setting up PubSubHub in ODS
- PubSubHubBub Demo Client Example
- Feed subscription via PubSubHub protocol Example
- Setting Up PubSubHub to use WebID Protocol or IP based control lists
- CA Keys Import using Conductor
- Generate an X.509 Certificate (with a WebID watermark) to be managed by host operating system keystore
- Generate an X.509 Certificate (with a WebID watermark) to be managed by a browser-based keystore
- Using Virtuoso's WebID Verification Proxy Service with a WebID-bearing X.509 certificate
- Using Virtuoso's WebID Identity Provider (IdP) Proxy Service with an X.509 certificate
- ODS Briefcase WebID Protocol Share File Guide
- WebID Protocol Specification
- Test WebID Protocol Certificate page
- WebID Protocol Certificate Generation page