OpenSSL client certificates vs server certificates

 

I have some basic questions on certificates. Let me first explain my understanding on SSL authentication.

SSL/TLS basically has two main things,

  • Authentication - to make sure we are communicating to the correct party on both end.
  • Encryption - encrypt the actual data transferred between both end.

    • Certificates have the public key and some additional information. SSL communication between Client (say 'C') and Server (say 'S') works like this,

  • C initiates the request to S.
  • S sends its public key to C.
  • C verifies the identity of S. (Server identity verification or server authentication)
  • C sends its public key to S.
  • S verifies the identity of C. (Client identity verification or client authentication)
  • C generates symmetric or session key (say 'K') and encrypt it with S public key and send it to the server.
  • Now both C and S have the shared symmetric key which will be used for encrypting the data.

    • Here I believe steps 4 and 5 meant for Client Authentication is optional. Correct me If I am wrong.

    Steps 1 to 5 involves asymmetric mode of encryption ie only for 'Authentication' and after that it involves symmetric mode of encryption for actual data transfer between them.

    My questions are as follows,

  • I have read from this link (related to IIS server) that there are two types of Certificates. One is client certificate and the other is server certificate. I thought the one in the client side who initiates the request is client certificate and the other is server certificate. What is the difference between client and server certificate wrto OpenSSL ?. Is there any difference in CN name in these certificates wrto OpenSSL ?

  • I was asked to use Client Certificates for authentication. Does it mean that we are bypassing server authentication and using only client certificates for authentication ?. I don't think so. As per my understanding, client authentication should be done in addition to the server authentication. Correct me if I am wrong here.

    • Server Certificates:

    Server Certificates are identitiy of a Server to persented by it during SSL handshake .

    Typically they are issued by CA well known to client , The basis on which the certificate is issued is possession of some publically known Identifier of that server , for Webserver its the Hostname of the server , which is used to reach server 

    Example:-  http://blog.8zero2.in/

    Server certifictae

    Server Certificates Purpose

    clearly mention by the x509 extension parameter 

    Certificate Key usage 

 1. Signing 
 2. Key Encipherment

    Signing :- It means that the key in the certificate can be used to prove the Identity of the server mentioned in the CN of the cerificate , that is entity Authentication .

    Key Encipherment :- It means the key in the in the ceritificate can be used to encrypt the session key ( symmetic key ) derived for the session

    Client Certificate :-

    Client certificates as the name indicates are used to identify a client or a user. They are meant for authenticating the client to the server. Purpose of holding a client certificate varies It may represent possession of email address or Mac-address , usually mapped to the serial number of the certificate

    Client Certificates Purpose

    clearly mention by the x509 extension parameter 

    Certificate Key usage 
1. Signing

    1) The article you link is a good one :-). To put it another way: there is a field in the certificate that says what use(s) it is allowed to be used for. When you create/request a certificate, you are asking for a certificate for a particular use, and the CA signs it on that basis.

    It is more secure to use different certificates for different purposes and to ensure that each certificate can only be used for its intended purpose. (Or if you want to be cynical, CAs make you buy separate client and server certs so they get more sales.)

    For instance, you might want your web server to be able to identify itself as your company for serving purposes, but not want that same certificate to be able to be used to sign outgoing connections to other businesses.

    2) You are correct.

    链接地址: http://www.djcxy.com/p/21766.html

    上一篇: 安全登录:PHP和Javascript中的公钥加密

    下一篇: OpenSSL客户端证书与服务器证书