Ssl – Mutual SSL authentication – client certificate vs server certificate

certificateiisSecuritysslssl-certificate

I am setting up a web application which will connect to a remote web service and is required to use a client certificate. My web app uses HTTPS to connect and I have it configured with my existing wildcard certificate for my domain.

Can I use my public key from the wildcard certificate as my client certificate? I'll need to provide it to the remote web service admins so they can add it to the list of trusted client certificates.

Is there any disadvantage to using my wildcard's public key as my client certificate? If I can't/shouldn't do it this way, what kind of certificate can I use instead?

Best Answer

One disadvantage is that your private key may now be on two machines.

A client key should be private, by definition. If it's shared, then it's not private.

That instantly reduces the trust anyone can have in your certificate. All other users of that server (if there are any) cannot now trust it, as its private key is known to be shared.

Your question doesn't state whether you're using your own CA or a commercial CA. If it's commercial, you maybe breaking the CA's terms & conditions by sharing the private key.

Best would be to simply create another certificate for your client. If you're running your own CA, simply create another certificate. If it's commercial, either purchase a new certificate for your client or get a free one. Either way, if your certificate will have an Extended Key Usage field, make sure it contains 'Client Authentication' (instead of 'Server Authentication').

As you clarified, your setup is one machine acting as a client and a server. In this situation you need to be aware of the slight difference in the certificate profiles for server authentication and client authentication:

A server certificate will have the DNS name of the server as either it CommonName (CN) or Subject Alternate Name (SAN), or both. A client certificate will usually have your email address as a CN, although there is no reason it can't be anything else.

The Extended Key Usage extension for a server certificate should be server authentication, while for a client certificate it should be client authentication. This may cause issues.

Related Solutions

Security – How to inspect remote SMTP server’s TLS certificate

You can use OpenSSL. If you have to check the certificate with STARTTLS, then just do

openssl s_client -connect mail.example.com:25 -starttls smtp

or for a standard secure smtp port:

openssl s_client -connect mail.example.com:465

Apache – Client Certificate Authentication Guide

sometimes u need to add a SSLCertificateChainFile option in your apache2.conf.

For example, we use SureServer for our SSL certificates. Sometimes browsers to not contain the full tree for the SSL certificate andu need to supply the missing piece:

SSLEngine On
SSLCertificateFile ...
SSLCertificateKeyFile ...
SSLCertificateChainFile /etc/apache2/sureserverEDU.pem

So u probably need to add your 3rd party CA there.

If I recall correctly rapidSSL has a chain file (RapidSSL_CA_bundle.pem)

Best Answer

Related Solutions

Security – How to inspect remote SMTP server’s TLS certificate

Apache – Client Certificate Authentication Guide

Related Topic