2 way SSL/TLS configuration

2018-05-30 06:20:05

If I understand SSL/TLS correctly in server only authentication, After the handshake, the server sends the client it's public key and a digitally signed certificate signed by a CA. If the client has this CA's public key, it can decrypt the certificate and establish trust with the server. If it does not trust the CA, then the communication stops. In 2 way SSL where the client needs to authenticate back to the server, after the client receives the public key and the digitally signed cert then the client will send the server over it's public key and a digitally signed cert. The server will check to see if it has a public key for the client's cert and if it does it can establish trust with the client. I am setting up mutual authentication [ 2 way ssl] on a weblogic server [in this case the client, calling outbound to a web service] and the third party sent me a digitally signed cert and a certificate chain. Why do I need these. Isn't this what the server replies with after the handshake?

the server sends the client it's public key and a digitally signed certificate signed by a CA.

The certificate contains the public key. The key is not sent extra.

If the client has this CA's public key, it can decrypt the certificate

The certificate is not encrypted, it is signed by the CA. Thus no decryption is done but the client can verify this signature if the client has the CA's certificate (and thus its public key). But usually the certificate is not signed directly by a CA trusted by the browser but there are intermediate certificates. In this case the server will not only send the servers certificate but also all intermediate certificates which are needed to build the trust chain.

then the client will send the server over it's public key and a digitally signed cert.

Again, the public key is part of the certificate.

the third party sent me a digitally signed cert and a certificate chain. Why do I need these.

The first certificate is the client certificate. The chain certificates are needed to build the trust chain because the server does not trust the issuer CA of the clients certificate directly and thus needs the intermediate certificates.

链接地址: http://www.djcxy.com/p/3714.html

上一篇: SSL证书验证

下一篇: 2路SSL / TLS配置