We have an API which has SSL certificate signed from authorized CA. The access to the API is limited. API is accessed from webapp and only from those client who have valid public key for SSL. Now, how can I distribute the public key to the client or issue the ssl certificate to only authorized client who need to access webapp and api both?
Asked
Active
Viewed 122 times
1 Answers
0
At the start of a TLS/SSL handshake, the server will send its certificate, containing its public key, to any client who initiates a connection. You cannot keep the public key secret.
Instead, consider using TLS/SSL client authentication. Like the server, the client will also possess a certificate, public key and private key. Both the client and the server will verify each other's certificates during the handshake. You can ensure that only authorised clients possess client certificates.
Alternatively, use any application layer authentication protocol you wish.
Irfan434
- 719
- 5
- 7
-
but initially, how can I issue or distribute client certificate to the client machine – abc33k Aug 07 '19 at 04:30
-
Safest way is to get them to generate a CSR (certificate signing request), which you will then sign with a private key. – Irfan434 Aug 07 '19 at 12:34