Must server and client certificate be signed by same CA in SSL

Question

I am trying to understand the relationship between the client and server in the context of an SSL connection. Am I correct in understanding that the fact that the same certificate authority (me - in example below) sign both server and client certificate makes that they can communicate. Thus, that the server only accepts communication when client authenticates with client certificate signed by the same CA as the server certificate, and this is essential to the idea of an SSL connection?

(script underneath comes directly from http://blog.nategood.com/client-side-certificate-authentication-in-ngi)

# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

# We're self signing our own server cert here.  This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr

# Sign the client certificate with our CA cert.  Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

server {
    listen        443;
    ssl on;
    server_name example.com;

    ssl_certificate      /etc/nginx/certs/server.crt;
    ssl_certificate_key  /etc/nginx/certs/server.key;
    ssl_client_certificate /etc/nginx/certs/ca.crt;
    ssl_verify_client on;

Answer 1

The short answer is No. These are two separate aspects. Here:

ssl_certificate      /etc/nginx/certs/server.crt;
ssl_certificate_key  /etc/nginx/certs/server.key;

You are configuring the server certificates which need to be trusted by the client.

And here:

ssl_client_certificate /etc/nginx/certs/ca.crt;

You configure the certification authority to verify your clients' certificates against.

Answer 2

"Must server and client certificate be signed by same CA in SSL"

Short answer is, it can be but not necessary.

To see why, let's break down the steps but without too much technical.

From your point of view when setting up the nginx server.

You want to achieve 2 goals.

1. Prove the identity of your server.

   For this you get a CA to sign your server certificate and present it to a client that connects to your server

2. Verify the identity of the client connecting to the server

   For this, you set define the list of CA that you trust that signs the client's certificate.

   When a client connects to your server, you check if the client certificate presented is signed by your list of CA

That's not the end. Let's look at the client's end.

The client also wants to achieve 2 goals.

1. Prove the client's identity when connecting to your server

   For this, the client get a CA to sign its client certificate and present it to your server when connecting.

   Here is the catch, the CA that signs the client certificate must be in your server's list of CA.

2. Verify the identity of your server

   For this, the client has to trust the CA that signs your server's certificate.

   How is this done?

   Typically this list is predefine on the system or browser so it happens transparently.

   But if you are writing a client, then you may have to define this list of trusted CA or just let the client know the CA that signs your server certificate.

So, it can happen that the CA signing the server and the client is the same but it is not necessary. It all depends on the list of CA defined on both the server and the client.