Request user to sign string by client certificate and get this sign in PHP

I can authorize user by his 开发者_开发技巧client certificate with apache mod_ssl. Now I need to request user to sign some string with his client certificate and read this sign in my php script. I know how to do it with openssl_sign when I have key.pem on server but the client certificate is on client computer, installed in browser

Indeed, the client's private key (corresponding to the client certificate) is what's used for signing, and it's not going to leave the browser. You need to perform these operations within the client's browser, not on the PHP (server) side.

Unfortunately, there's no universal way of doing cryptographic operations (and accessing the private key) across browsers.

You could look at this to start with: https://developer.mozilla.org/en/JavaScript_crypto#Signing_text

Alternatively, you could try launching an application from the browser (for example Java WebStart), although this doesn't necessarily make it easy to access the private key and certificate that are in the browser.

You need some applet or Flex application or ActiveX Control running on the client side. This will let you access certificates located there. It's not a trivial task (especially if you didn't deal with this before).

We will introduced distributed signing components (including applet and ActiveX control) as part of our SecureBlackbox product in a couple of months. At the moment the components are in internal testing.