OpenSSL client certificates vs server certificates

ssl encryption openssl
24,936

Solution 1

Server Certificates:

Server Certificates are identitiy of a Server to presented by it during SSL handshake.

Typically they are issued by a certificate authority (CA) well known to client, The basis on which the certificate is issued is possession of some publicly known Identifier of that server, for Webserver its the Hostname of the server, which is used to reach server 

Example:-  http://blog.8zero2.in/

Server certifictae

Server Certificates Purpose

clearly mention by the x509 extension parameter 

Certificate Key usage 

 1. Signing 
 2. Key Encipherment

Signing :- It means that the key in the certificate can be used to prove the Identity of the server mentioned in the CN of the cerificate , that is entity Authentication .

Key Encipherment :- It means the key in the in the ceritificate can be used to encrypt the session key ( symmetic key ) derived for the session

Client Certificate :-

Client certificates as the name indicates are used to identify a client or a user. They are meant for authenticating the client to the server. Purpose of holding a client certificate varies It may represent possession of email address or Mac-address , usually mapped to the serial number of the certificate

Client Certificates Purpose

clearly mention by the x509 extension parameter

Certificate Key usage 
1. Signing

Solution 2

1) The article you link is a good one :-). To put it another way: there is a field in the certificate that says what use(s) it is allowed to be used for. When you create/request a certificate, you are asking for a certificate for a particular use, and the CA signs it on that basis.

It is more secure to use different certificates for different purposes and to ensure that each certificate can only be used for its intended purpose. (Or if you want to be cynical, CAs make you buy separate client and server certs so they get more sales.)

For instance, you might want your web server to be able to identify itself as your company for serving purposes, but not want that same certificate to be able to be used to sign outgoing connections to other businesses.

2) You are correct.

Share:
24,936
Prabu
Author by

Prabu

Updated on January 05, 2020

Comments

  • Prabu
    Prabu over 4 years

    I have some basic questions on certificates. Let me first explain my understanding on SSL authentication.

    SSL/TLS basically has two main things,

    1. Authentication - to make sure we are communicating to the correct party on both end.
    2. Encryption - encrypt the actual data transferred between both end.

    Certificates have the public key and some additional information. SSL communication between Client (say 'C') and Server (say 'S') works like this,

    1. C initiates the request to S.
    2. S sends its public key to C.
    3. C verifies the identity of S. (Server identity verification or server authentication)
    4. C sends its public key to S.
    5. S verifies the identity of C. (Client identity verification or client authentication)
    6. C generates symmetric or session key (say 'K') and encrypt it with S public key and send it to the server.
    7. Now both C and S have the shared symmetric key which will be used for encrypting the data.

    Here I believe steps 4 and 5 meant for Client Authentication is optional. Correct me If I am wrong.

    Steps 1 to 5 involves asymmetric mode of encryption i.e only for 'Authentication' and after that it involves symmetric mode of encryption for actual data transfer between them.

    My questions are as follows,

    1. I have read from this link (related to IIS server) that there are two types of Certificates. One is client certificate and the other is server certificate. I thought the one in the client side who initiates the request is client certificate and the other is server certificate. What is the difference between client and server certificate w.r.to OpenSSL ?. Is there any difference in CN name in these certificates w.r.to OpenSSL ?

    2. I was asked to use Client Certificates for authentication. Does it mean that we are bypassing server authentication and using only client certificates for authentication ?. I don't think so. As per my understanding, client authentication should be done in addition to the server authentication. Correct me if I am wrong here.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is the role of cakey.pem and cacert.pem in addition to .key and .crt based encryption
Decrypt PEM containing key and certificate
convert .p7b key to a .pfx
How to produce p12 file with RSA private key and self-signed certificate
How does openssl decrypt a password
How do you test a public/private DSA keypair?
Cannot connect to wss with Flutter
Encrypt and decrypt string with c++, Openssl and aes
Apache 2.4.37 with openssl 1.1.1: cannot perform post-handshake authentication
Opening an RSA private key from Ruby