What is ssl client certificate
OpenSSL client certificates vs server certificates
I have some basic questions on certificates. Let me first explain my understanding on SSL authentication.
SSL/TLS basically has two main things,
- Authentication - to make sure we are communicating to the correct party on both end.
- Encryption - encrypt the actual data transferred between both end.
Certificates have the public key and some additional information. SSL communication between Client (say 'C') and Server (say 'S') works like this,
- C initiates the request to S.
- S sends its public key to C.
- C verifies the identity of S. (Server identity verification or server authentication)
- C sends its public key to S.
- S verifies the identity of C. (Client identity verification or client authentication)
- C generates symmetric or session key (say 'K') and encrypt it with S public key and send it to the server.
- Now both C and S have the shared symmetric key which will be used for encrypting the data.
Here I believe steps 4 and 5 meant for Client Authentication is optional. Correct me If I am wrong.
Steps 1 to 5 involves asymmetric mode of encryption i.e only for 'Authentication' and after that it involves symmetric mode of encryption for actual data transfer between them.
My questions are as follows,
I have read from this link (related to IIS server) that there are two types of Certificates. One is client certificate and the other is server certificate. I thought the one in the client side who initiates the request is client certificate and the other is server certificate. What is the difference between client and server certificate w.r.to OpenSSL. Is there any difference in CN name in these certificates w.r.to OpenSSL ?
I was asked to use Client Certificates for authentication. Does it mean that we are bypassing server authentication and using only client certificates for authentication. I don't think so. As per my understanding, client authentication should be done in addition to the server authentication. Correct me if I am wrong here.Source: stackoverflow.com