Client certificates and some common mistakes


I really enjoy working on a good SSL issue.  The technologies are mature and well documented and work the same in most places so the issues are generally straightforward.  There are exceptions of course and they can get hairy.

Normally the biggest issues I see with client certificates is a lack of understanding of what has to be in place for client Certificates to work.

Bottom line:

The client and the server must have a common common trusted CA  
The client must be using a certificate issued by that CA   
The web server must be able to check the revocation listing of the CA
Any Intermediate CAs involved they must also be trusted by both parties

 

That’s it.

 

Some common problems:
The site’s SSL certificate is not a Client Certificate
A copy of an SSL certificate is not a CA certificate
Web hosting companies are not going to trust certificates you issue
A CA certificate is not a client or a server certificate
Installing a client certificate doesn’t mean the client trusts it

If this makes sense then you are probably on the right track to using client certificates.  If any of the above isn’t clear I will be happy to go into depth on how to set up SSL and configure a server to properly use client certificates for authentication.

Thanks for reading.


Comments (0)

Skip to main content