Ssl – Client certificate authentication with no access to private keys

certificatesslssl-certificatetls

We are trying to set up client certificate authentication for VPN users on Cisco ASA. User certificate store is being used to complete the authentication. The problem we are running into is that the user doesn't have rights to access the private key which in turn results in certificate validation failure. But my question here is that why do we even need access to the private keys to complete the authentication process.

Best Answer

The public key is - like it's name suggests - public. It can thus not alone be used for authorization, since everybody knows it. But only the owner of the private key is able to sign some random challenge and this signature can then be verified by everybody having access to the public key - in this case the server which has sent this challenge to the client. Thus it is essential that the client has access to the private key. And not only the client must have access to the private key but it should also the only one who has access (therefore: "private" key), because everybody who knows the private key can claim the clients identity.

For more information see the basics of Public Key Cryptopgraphy.

Best Answer

Related Solutions

Iis – Disable integrated client certificate validation in IIS7

How to make iPhone Cisco VPN client work with ASA with certificate authentication

Related Topic