Two-way SSL clarification

Question

I am somewhat confused as to how two-way SSL works   How does the client create its certificate to send to the server   Is it generated from the server and distributed to the client   Also  what is the advantage of two-way SSL over one-way SSL

User · Answer

In two way ssl the client asks for servers digital certificate and server ask for the same from the client  It is more secured as it is both ways  although its bit slow  Generally we dont follow it as the server doesnt care about the identity of the client  but a client needs to make sure about the integrity of server it is connecting to

User · Answer

Both certificates should exist prior to the connection  They re usually created by Certification Authorities  not necessarily the same    There are alternative cases where verification can be done differently  but some verification will need to be made    The server certificate should be created by a CA that the client trusts  and following the naming conventions defined in RFC 6125    The client certificate should be created by a CA that the server trusts   It s up to each party to choose what it trusts   There are online CA tools that will allow you to apply for a certificate within your browser and get it installed there once the CA has issued it  They need not be on the server that requests client-certificate authentication   The certificate distribution and trust management is the role of the Public Key Infrastructure  PKI   implemented via the CAs  The SSL TLS client and servers and then merely users of that PKI   When the client connects to a server that requests client-certificate authentication  the server sends a list of CAs it s willing to accept as part of the client-certificate request  The client is then able to send its client certificate  if it wishes to and a suitable one is available   The main advantages of client-certificate authentication are    The private information  the private key  is never sent to the server  The client doesn t let its secret out at all during the authentication  A server that doesn t know a user with that certificate can still authenticate that user  provided it trusts the CA that issued the certificate  and that the certificate is valid   This is very similar to the way passports are used  you may have never met a person showing you a passport  but because you trust the issuing authority  you re able to link the identity to the person    You may be interested in Advantages of client certificates for client authentication   on Security SE

User · Answer

What you call  Two-Way SSL  is usually called TLS SSL with client certificate authentication    In a  normal  TLS connection to example com only the client verifies that it is indeed communicating with the server for example com  The server doesn t know who the client is  If the server wants to authenticate the client the usual thing is to use passwords  so a client needs to send a user name and password to the server  but this happens inside the TLS connection as part of an inner protocol  e g  HTTP  it s not part of the TLS protocol itself  The disadvantage is that you need a separate password for every site because you send the password to the server  So if you use the same password on for example PayPal and MyPonyForum then every time you log into MyPonyForum you send this password to the server of MyPonyForum so the operator of this server could intercept it and try it on PayPal and can issue payments in your name   Client certificate authentication offers another way to authenticate the client in a TLS connection  In contrast to password login  client certificate authentication is specified as part of the TLS protocol  It works analogous to the way the client authenticates the server  The client generates a public private key pair and submits the public key to a trusted CA for signing  The CA returns a client certificate that can be used to authenticate the client  The client can now use the same certificate to authenticate to different servers  i e  you could use the same certificate for PayPal and MyPonyForum without risking that it can be abused   The way it works is that after the server has sent its certificate it asks the client to provide a certificate too  Then some public key magic happens  if you want to know the details read RFC 5246  and now the client knows it communicates with the right server  the server knows it communicates with the right client and both have some common key material to encrypt and verify the connection

[ssl] Two-way SSL clarification

Examples related to ssl

Examples related to two-way