Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenSSL client certificates vs server certificates

I have some basic questions on certificates. Let me first explain my understanding on SSL authentication.

SSL/TLS basically has two main things,

  1. Authentication - to make sure we are communicating to the correct party on both end.
  2. Encryption - encrypt the actual data transferred between both end.

Certificates have the public key and some additional information. SSL communication between Client (say 'C') and Server (say 'S') works like this,

  1. C initiates the request to S.
  2. S sends its public key to C.
  3. C verifies the identity of S. (Server identity verification or server authentication)
  4. C sends its public key to S.
  5. S verifies the identity of C. (Client identity verification or client authentication)
  6. C generates symmetric or session key (say 'K') and encrypt it with S public key and send it to the server.
  7. Now both C and S have the shared symmetric key which will be used for encrypting the data.

Here I believe steps 4 and 5 meant for Client Authentication is optional. Correct me If I am wrong.

Steps 1 to 5 involves asymmetric mode of encryption i.e only for 'Authentication' and after that it involves symmetric mode of encryption for actual data transfer between them.

My questions are as follows,

  1. I have read from this link (related to IIS server) that there are two types of Certificates. One is client certificate and the other is server certificate. I thought the one in the client side who initiates the request is client certificate and the other is server certificate. What is the difference between client and server certificate w.r.to OpenSSL ?. Is there any difference in CN name in these certificates w.r.to OpenSSL ?

  2. I was asked to use Client Certificates for authentication. Does it mean that we are bypassing server authentication and using only client certificates for authentication ?. I don't think so. As per my understanding, client authentication should be done in addition to the server authentication. Correct me if I am wrong here.

like image 411
Prabu Avatar asked Jul 15 '14 07:07

Prabu


People also ask

Can a server certificate be used as a client certificate?

Cryptographically, you can use either as the actual client side identity of an SSL connection, but the other side (the server on that particular connection) has to accept the certificate; most people don't put the Distinguished Name of servers into the database of acceptable identities.

Can I use same certificate for server and client?

It's technically possible for a TLS certificate to be used as both a server certificate and a client certificate. The TLS certificate for this very site has its key usage set that way, for instance. But the server which requires a client certificate does so to authenticate the client.

What is client SSL and server SSL?

A client certificate ensures the server that it is communicating with a legitimate user. Contrary to Server certificates (SSL certificates), Client certificates are used to validate the identity of a client (user). The user, in this case, might be a website user or an email user.

How does SSL certificate works between client and server?

SSL uses port number 443, encrypting data exchanged between the browser and the server and authenticating the user. Therefore, when the communications between the web browser and server need to be secure, the browser automatically switches to SSL — that is, as long as the server has an SSL certificate installed.


1 Answers

Server Certificates:

Server Certificates are identitiy of a Server to presented by it during SSL handshake.

Typically they are issued by a certificate authority (CA) well known to client, The basis on which the certificate is issued is possession of some publicly known Identifier of that server, for Webserver its the Hostname of the server, which is used to reach server

Example:-  http://blog.8zero2.in/ 

Server certifictae

Server Certificates Purpose

clearly mention by the x509 extension parameter

Certificate Key usage    1. Signing   2. Key Encipherment 

Signing :- It means that the key in the certificate can be used to prove the Identity of the server mentioned in the CN of the cerificate , that is entity Authentication .

Key Encipherment :- It means the key in the in the ceritificate can be used to encrypt the session key ( symmetic key ) derived for the session

Client Certificate :-

Client certificates as the name indicates are used to identify a client or a user. They are meant for authenticating the client to the server. Purpose of holding a client certificate varies It may represent possession of email address or Mac-address , usually mapped to the serial number of the certificate

Client Certificates Purpose

clearly mention by the x509 extension parameter

Certificate Key usage  1. Signing  
like image 78
Arjun sharma Avatar answered Oct 04 '22 11:10

Arjun sharma