SSL Client Certificate authentication

  • Is it possible to make a program which uses client certificate authentication with only public and private key (I have not generated any certificate, I have only public and private key).

    Simply, I want to make authentication on server with client certificate authentication. But it is hard to make client certificate programmatically.

    I want to make client certificate authentication with only public and private key (I have only public and private key, no certificate).

    It is possible to send server public key instead of client certificate for client certificate authentication ?

  • tylerl

    tylerl Correct answer

    8 years ago

    Certificates are just the public key with some added context. The name of the key, signatures, usage guidelines, etc. SSL/TLS depends on that context. Otherwise the host you're connecting to won't know whether the key genuinely belongs to you or not. The SSL trust mechanism is built on the concept of explicitly trusted certificates and then the implicitly trusted certificates that they sign.

    But if you're not using SSL or TLS, then encryption can still happen without it, but trust has to happen a different way. SSH is a good example of this: SSH still uses public and private keys, but since there is no hierarchy of signatures, the added information that certificates provide wouldn't be useful, so the key is sent bare. Instead, the client asks you whether or not to trust the server's public key the first time it connects, and every time thereafter checks to see if the public key matches what it saw last time. This can happen because SSH does not use SSL or TLS for its encryption.

    But if you're using the SSL protocol, the protocol dictates that the public key must be presented with the added context of the certificate. That is, the certificate is the container that the public key must be placed in for SSL to use it.

    If you have the private key, it's trivial to create a self-signed certificate using a tool like OpenSSL.

    "*This can happen because SSH does not use SSL or TLS for its encryption.*" Nothing would prevent an SSL/TLS client to ask the user whether they trust the server's identity based on the public key in the cert, in the same way as SSH does. It's more the fact that the TLS spec only talks about certificates. (In addition, there are extensions of OpenSSH that support X.509 certificates, so the two concepts are orthogonal in principle.)

    @Bruno the trust mechanism isn't what's is in conflict SSL, it's the fact that there aren't certificates. The point is that the fact that SSH can operate without certificates requires that SSH not use SSL.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM