Menu
I am working with a REST service provider and they want me to use a client certificate provided by them when making HTTP call.
How does a client cert achieve authentication?
If someone has a copy of the client cert, they too can be authenticated right?
Does a client cert offer anything else beside authentication?
How are they different from a username/password authentication?
457
Client certificates are, as the name indicates, used to identify a client or a user, authenticating the client to the server and establishing precisely who they are.
Client Certificate Authentication is a mutual certificate based authentication, where the client provides its Client Certificate to the Server to prove its identity. This happens as a part of the SSL Handshake (it is optional).
Validation is done by the server the same way the client validates the server's certificate. The client sends a signed certificate to the server. System SSL at the server decrypts the signature (message digest) using the public key of the client certificate issuer found in the server key database file.
The client then compares the certificates in its store against that list to see if it has any signed by the CAs that the server listed. If it finds one, it will send it, usually after prompting the user whether they want to send it. Presumably if there were multiple matches it would ask the user which to send (if any).
How does a client cert achieve authentication?
By being either signed by someone the peer trusts (including self-signing), or signed by someone that is trusted by someone the peer trusts, etc.
If someone has a copy of the client cert, they too can be authenticated right?
Wrong. They would also need the private key.
Does a client cert offer anything else beside authentication?
No.
How are they different from a username/password authentication?
Much more secure. No password-guessing is possible.
However There is no such thing as a 'client certificate provided by them'. The process of generating a client certificate starts with you. You generate a key pair and a Certificate Signing Request (CSR) and you have it signed by a CA. Or you generate a self-signed certificate. You then provide your certificate to them. If they are proposing to carry out all these steps and provide the resulting key pair and certificate to you, they do not know what they are talking about and should be severely chastised for security breaches. A private key is only private if no-one else has a copy.
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
