What is the criteria on which Chrome shows available certificates for client authentication
When a remote server requires a client certificate for authentication, the browser pops up a dialog to select the certificate from:
it only shows a subset of certificates, I want to know on which criteria it fetches them, for example, I expect that these certificates must have associated private key to prove the client's ownership. But the Chrome certificate manager has much more certificates than what is shown in the popup, some of which have associated private keys. also does the browser has its own isolated store, as I noticed some certificates needs to be imported into the browser's store despite that the certificates in the browser's store are the same as those on Windows.
2 Answers
A HTTPS client certificate always have to have a corresponding private key, otherwise it can't be used for HTTPS client authentication.
On Windows (the screen shot looks like it had been taken on Windows) Chrome does make use of Windows certificate manager. The certificates for HTTPS authentication are stored in the personal certificate store ("Personal" section in certmgr.msc).
Additionally the HTTPS server you are trying to connect to can send in it's Certificate Request message a list of CAs it will accept for client certificate authentication:
Cite from rfc5246
2
certificate_authorities: A list of the distinguished names [X501] of acceptable certificate_authorities, represented in DER-encoded format. These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used to describe known roots as well as a desired authorization space. If the certificate_authorities list is empty, then the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary.
While most HTTPS sites authenticate to the server using a certificate sent by the website, HTTPS also supports a two-way authentication calledmutual authentication.
To request mutual authentication, servers send a CertificateRequestmessage to the client during the HTTPS handshake, specifying a
criteria filter that the browser will use to find a client certificate
that satisfies the server request.
If the browser finds more than one possible certificate
(unexpired certificates with the Client Authentication purpose set
and a private key available) that match the server-supplied filtering
criteria, it will ask the user to select one.
This is usually a pretty rare occurrence (at least for me).
The selected certificate will be sent to the server by the
browser’s following Certificate response.
