For Mutual Authentication, the client must contain the CA certificate of the Server and his own Certificates, and the server must contain the CA certificate of the Client and his own Certificates.In this way , the Server may contain multiple CA-Certificates for different clients ? Is this correct ? In this way Server may be loaded with various Client Certificates ? Can anyone please mention few of the applications which use Mutual Authentication.
Asked
Active
Viewed 694 times
1 Answers
1
The server will indeed have and announce to the client (during SSL handshake) a list of trusted client CA, and the client will have to provide a client certificate signed by a CA on that list.
you said: In this way Server may be loaded with various Client Certificates? I guess you meant "Client CA". The server wouldn't be pre-loaded with the actual client cert, unless it's a self-signed (root) cert.
At work, I see SSLMA used between technical components that need to be talking to each other for security-sensitive functionality. E.g. webapp1 -> webservice2, if webservice2 is doing something that you don't want to expose to everyone in the network. Webapp1 may have authenticated and authorized the end-user; but if webservice2 isn't set up to authenticate/authorize the end-users, it may suffice to have webservice2 accept a limited number of SSLMA clients; including webapp1.
On the internet, I haven't seen that much use of SSLMA (from browser to website), but there are cases, e.g. to log on to some government or banking websites. Typically, the client cert is then installed on a smartcard. I can think of only a few examples in Belgian context, not sure if that would help you.
Fred H
- 21
- 5