Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Use Server Certificate As Client Certificate

ServerA and ServerB are the web servers. ServerA wishes to communicate with ServerB. Can ServerA use its server certificate as a client certificate during mutual authentication ?

like image 867
Asur Avatar asked Aug 01 '11 03:08

Asur


People also ask

Can a server cert be used as a client cert?

Cryptographically, you can use either as the actual client side identity of an SSL connection, but the other side (the server on that particular connection) has to accept the certificate; most people don't put the Distinguished Name of servers into the database of acceptable identities.

What is the difference between client certificate and server certificate?

Client certificates tend to be used within private organizations to authenticate requests to remote servers. Whereas server certificates are more commonly known as TLS/SSL certificates and are used to protect servers and web domains.

How does a server authenticate client certificate?

SSL-enabled client software always requires server authentication, or cryptographic validation by a client of the server's identity. The server sends the client a certificate to authenticate itself. The client uses the certificate to authenticate the identity the certificate claims to represent.


1 Answers

SSL certificates are really identities. The difference between a client certificate and a server certificate is that a client certificate identifies a person (or the software acting on their behalf) and a server certificate identifies a service (or the machine hosting that service). Cryptographically, you can use either as the actual client side identity of an SSL connection, but the other side (the server on that particular connection) has to accept the certificate; most people don't put the Distinguished Name of servers into the database of acceptable identities. There's also the Extended Key Usage constraints that might or might not be present; if present, they could enforce the separation between server and client certificates (don't hack things to ignore policy requirements, please!) but I've no idea if that will actually apply to your situation. The rules there are a bit intricate.

In short: you can do it, but is it a good idea?

like image 142
Donal Fellows Avatar answered Sep 28 '22 10:09

Donal Fellows