It is hard for me to reason what is common when it comes to client certificate usage in the scope of SSL/TLS, but some points from my experience below.
When a developer makes an application for a specific web server - there is a high chance it may choose a specific client certificate in advance. But an admin - he did choose a certificate, and installed it into a TPM module which is now only available from a LOCAL_MACHINE storage, and me as a developer - has to use it from that scope. And, as a developer of the application - I don't know the certificate name in advance, since it (the application) is intended to be used on different devices that will access different remote web servers, and only specific devices (with specific device certificates installed) are allowed to access specific web servers (which advertise allowed CAs of those certificates). As for selecting from multiple certificates - one use-case I've faced is when there are two similar certificates installed, but one of them is expired/about-to-be-expired or revoked (and client/device doesn't know about the revocation), and another one is newly issued/installed. And secondly, for some reason, both Chromium (and alike) and Firefox browsers (maybe others, I didn't check) are showing a UI prompt for the user to select a certificate to use manually (or discard/use none, which might be a valid option sometime) by default (even if there is only one matching certificate available), which is the first thing you see when you are trying to open a web page which has mTLS enabled, so that looks if not common, then at least a default. >> But: >> 1) It doesn't work if the certificate is installed in LOCAL_MACHINE storage; >> 2) It doesn't allow manually selecting which certificate to use (e.g. >> if there are more than one available). > > > Are either of those a common thing to do? Couldn't an admin, developer or > user select the certificate usually? -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
