12

For an IoT project, I want to secure client server communication. I want both the server (Apache) and the clients identify/authenticate each other (a client won't communicate with other clients) before clients can post some data.

There is much less information about client certificates. Besides documentations, there are best practices. I would like to know, how to set common name and subject alternative names for clients, as they won't have a domain name and a fix IP address.

Do I simply tell the server to ignore a mismatch? Can I use a wild card only CN (CN=*)? I also would like the cert to identify specific client. Server needs to be able to tell apart client 1 from client 2, etc...

Thanks!

Saren Tasciyan
  • 275
  • 1
  • 2
  • 7

1 Answers1

10

What is used as subject in the client certificate depends on the context. If humans should be identified commonly an email address or a name is used. If machines should be identified typically the hostname of the machine is used. In the latter case it is probably best to use a subject alternative name (and maybe CN too) since a CN by itself does not express the type of the subject (i.e. DNS name, IP address, URL...).

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • So, I can put "Client 1" as CN and subject alt name and server would accept it? I will need Apache to authenticate my clients. – Saren Tasciyan Sep 03 '18 at 20:25
  • @Genom: you can make the server accept it, check [SSLRequire](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire) for how to restrict what the server accepts. – Steffen Ullrich Sep 03 '18 at 21:06
  • Thanks. This answer my questions (CN and subject alt names can be anything, which can get accepted by the server). – Saren Tasciyan Sep 03 '18 at 21:11
  • 2
    In standard HTTPS setups nowadays, the CN is put aside and only the SANs count. – Patrick Mevzek Sep 03 '18 at 23:14
  • 12
    @PatrickMevzek: that's standard for client validating _server_, but there is no such standard for server validating _client_ which is the Q here – dave_thompson_085 Sep 04 '18 at 04:14
  • 1
    @dave_thompson_085 There is not even a standard for clients, just a loose set of rules not implemented exactly the same on all clients but that all have the global direction of "for DV certificates, the content of the SAN is more important/should be taken first than the Subject". I believe the same reasoning could be used on server side, for the exact same reason. Machine to machine communications surely do not need OV or EV certificates. – Patrick Mevzek Sep 09 '19 at 16:44
  • 1
    For _HTTPS_ client checking server, 2818 is clear that SAN supersedes CN always, independent of the CA's validation, and except implementations that don't check at all I don't know any that violate this. Server checking client isn't specified, and for web many clients don't have a DNS name that could be certified and often none at all. – dave_thompson_085 Sep 12 '19 at 02:10