Solved

SSL Client auth

Posted on 2014-03-21
3
389 Views
Last Modified: 2014-03-21
I read some sites on SSL client auth, but am having trouble wit this concept.

Apparently the client is authroized by n X.509 certificate unique to the client, and no uid and pw is required.

Is this correct, and where does the x.509 client certificate get stored, in the server or the client.

How does htat work
0
Comment
Question by:Anthony Lucia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39945892
The concept works this way:

1 A key (cert) is generated and the server Access Control list is updated to include the key

2 When the client connects to the server if a client ssl is required the client checks it's store for the relevant cert (Current user if user based - local machine if computer based)

3 In most instances serial or thumbprint or both or other aspects are matched and the server authenticates the client.

Since certificate based authentication is key pair based the client may in some instances have both the public and private keys, while the server would have a copy of the public or the thumbprint etc depending on how this is designed.


See here for more detailed info:
http://docs.oracle.com/cd/E19424-01/820-4811/aakhe/index.html
0
 

Author Comment

by:Anthony Lucia
ID: 39946000
Regarding the following:

1 A key (cert) is generated and the server Access Control list is updated to include the key

Open in new window


How does this happen.  Is this a manual process, and is the user cert preloaded or forcibly loaded into the server SSL (kind of like the cert authority in regular SSL)  ?
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39946051
Any number of ways:

If this is a server to server call, the client server can simply request a certificate from a publicly trusted CA and then share the public key with the Web server requiring client auth.

This can also be done in an enterprise environment by having the Enterprise CA issue the certificate for the clients.

It all depends on the model you wish to implement:
Internal or external solution
Server to server or user to server.
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question