Solved

SSL Client auth

Posted on 2014-03-21
3
400 Views
Last Modified: 2014-03-21
I read some sites on SSL client auth, but am having trouble wit this concept.

Apparently the client is authroized by n X.509 certificate unique to the client, and no uid and pw is required.

Is this correct, and where does the x.509 client certificate get stored, in the server or the client.

How does htat work
0
Comment
Question by:Anthony Lucia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39945892
The concept works this way:

1 A key (cert) is generated and the server Access Control list is updated to include the key

2 When the client connects to the server if a client ssl is required the client checks it's store for the relevant cert (Current user if user based - local machine if computer based)

3 In most instances serial or thumbprint or both or other aspects are matched and the server authenticates the client.

Since certificate based authentication is key pair based the client may in some instances have both the public and private keys, while the server would have a copy of the public or the thumbprint etc depending on how this is designed.


See here for more detailed info:
http://docs.oracle.com/cd/E19424-01/820-4811/aakhe/index.html
0
 

Author Comment

by:Anthony Lucia
ID: 39946000
Regarding the following:

1 A key (cert) is generated and the server Access Control list is updated to include the key

Open in new window


How does this happen.  Is this a manual process, and is the user cert preloaded or forcibly loaded into the server SSL (kind of like the cert authority in regular SSL)  ?
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39946051
Any number of ways:

If this is a server to server call, the client server can simply request a certificate from a publicly trusted CA and then share the public key with the Web server requiring client auth.

This can also be done in an enterprise environment by having the Enterprise CA issue the certificate for the clients.

It all depends on the model you wish to implement:
Internal or external solution
Server to server or user to server.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question