For a project I'm working on I have to generate web server certificate.
As I understand it, server certificates should contain the Server Authentication OID (1.3.6.1.5.5.7.3.1). But as I see all server certificates issued by well known issuers like Verisign contain also Client Authentication OID (1.3.6.1.5.5.7.3.2).
I tried to use certificate with only server authentication OID - seems it works fine.
Questions
Why is the client authentication OID needed for server certificates?
Is it needed for some legacy support or there is another reason for it?
The difference between the two is exactly how they're described.
For using a certificate as a server (on the receiving end of the connection), it must have the Server extended key usage.
In a 2-way SSL connection, where the client (on the initiating end of the connection) presents a certificate back to the server, it must have the Client extended key usage.
If you're never using the certificate as a client cert, you won't need the Client Authentication OID.
I think it is also useful to point out that one of the main distinctions between Client and Server certificates is that:
Server Certificates are used for encryption and decryption of data;
Client Certificates represent a user identity. That is, to prove the client's identity to a remote server.
Related
For normal TLS the client will check that the server I am communicating with is actually on the FQDN matching the CN, hence if the certificate is for a different domain the TLS should not work by default as the certificate is not for this site.
For mTLS when the server is checking the client certificate, can it somehow check the client address matches the CN somehow or is it simply checking the cert matches the key and cert is trusted on the client side? ie if I use the correct client key/cert from any machine on the internet should the server connect if its configured to trust that certificate, or will it require the client to be somehow at specific address?
It depends on the specific use case.
In some cases mTLS is used in server to server to communication, for example with SIP (VoIP). In these cases the client certificate is often expected to contain the domain of the sender, similar to a server certificate. Keeping with the example of SIP: here the different systems can also switch roles (i.e. both sites can initiate a call) and what was former the client certificate is now used as a server certificate.
In other cases the subject is not validated during the TLS handshake but the users identity is extracted from the certificates subject and provided to the application. The application might then do additional checks, like allowing only users from a specific organisation encoded in the subject. Thus, the subject is still relevant even if it is not used inside the certificate validation during the TLS handshake.
I wanted to implement One Way SSL in MQTT. From what I researched, in on way SSL, the client has a stored default cert. It will use this initially stored cert and compared it with the cert from the broker side. If the cert is valid, then they established a secured connection. However, our embedded software engineer says that the client side doesn't need cert, it will just have to get the cert from the broker side then it will use for a secured connection. To summarized, what I understand is the client has a stored cert, and it will compare it with the one the broker has. The engineer says the client doesn't a stored cert, it will just get one from broker.
He already tested it by connecting to our broker with any initially stored cert and it really worked. Now I don't understand how one way SSL really works.
SSL with MQTT works as it does with any other protocol.
There are 2* main modes
Server (broker) only authentication. In this case the client connects to the server (broker), the broker sends it's certificate to the client. The client checks the certificate is issued (signed) by somebody the client trusts, this proves the server (broker) is who it claims to be and can be trusted. The client and server (broker) then do key negotiation in order to set up an encrypted tunnel. The act of checking that the server certificate is issued by a trusted party is to check it is signed by a known CA (certificate authority) certificate, this means the client needs to keep a list of trusted certificates.
Mutual authentication of both client and server (broker). This is pretty much the same as before except the client also sends it's own unique certificate to the server (broker) this is also checked to see that it is issued by a known CA and the CN field is used as the user id of the client.
*There is also pre-shared keys mode which don't use certificates at all.
I have some basic questions on certificates. Let me first explain my understanding on SSL authentication.
SSL/TLS basically has two main things,
Authentication - to make sure we are communicating to the correct party on both end.
Encryption - encrypt the actual data transferred between both end.
Certificates have the public key and some additional information. SSL communication between Client (say 'C') and Server (say 'S') works like this,
C initiates the request to S.
S sends its public key to C.
C verifies the identity of S. (Server identity verification or server authentication)
C sends its public key to S.
S verifies the identity of C. (Client identity verification or client authentication)
C generates symmetric or session key (say 'K') and encrypt it with S public key and send it to the server.
Now both C and S have the shared symmetric key which will be used for encrypting the data.
Here I believe steps 4 and 5 meant for Client Authentication is optional. Correct me If I am wrong.
Steps 1 to 5 involves asymmetric mode of encryption i.e only for 'Authentication' and after that it involves symmetric mode of encryption for actual data transfer between them.
My questions are as follows,
I have read from this link (related to IIS server) that there are two types of Certificates. One is client certificate and the other is server certificate. I thought the one in the client side who initiates the request is client certificate and the other is server certificate. What is the difference between client and server certificate w.r.to OpenSSL ?. Is there any difference in CN name in these certificates w.r.to OpenSSL ?
I was asked to use Client Certificates for authentication. Does it mean that we are bypassing server authentication and using only client certificates for authentication ?. I don't think so. As per my understanding, client authentication should be done in addition to the server authentication. Correct me if I am wrong here.
Server Certificates:
Server Certificates are identitiy of a Server to presented by it during SSL handshake.
Typically they are issued by a certificate authority (CA) well known to client, The basis on which the certificate is issued is possession of some publicly known Identifier of that server, for Webserver its the Hostname of the server, which is used to reach server
Example:- http://blog.8zero2.in/
Server certifictae
Server Certificates Purpose
clearly mention by the x509 extension parameter
Certificate Key usage
1. Signing
2. Key Encipherment
Signing :- It means that the key in the certificate can be used to prove the Identity of the server mentioned in the CN of the cerificate , that is entity Authentication .
Key Encipherment :- It means the key in the in the ceritificate can be used to encrypt the session key ( symmetic key ) derived for the session
Client Certificate :-
Client certificates as the name indicates are used to identify a client or a user.
They are meant for authenticating the client to the server.
Purpose of holding a client certificate varies
It may represent possession of email address or Mac-address , usually mapped to the serial number of the certificate
Client Certificates Purpose
clearly mention by the x509 extension parameter
Certificate Key usage
1. Signing
1) The article you link is a good one :-). To put it another way: there is a field in the certificate that says what use(s) it is allowed to be used for. When you create/request a certificate, you are asking for a certificate for a particular use, and the CA signs it on that basis.
It is more secure to use different certificates for different purposes and to ensure that each certificate can only be used for its intended purpose. (Or if you want to be cynical, CAs make you buy separate client and server certs so they get more sales.)
For instance, you might want your web server to be able to identify itself as your company for serving purposes, but not want that same certificate to be able to be used to sign outgoing connections to other businesses.
2) You are correct.
I am tring to figure out how a secure connection between client and server is established. I tried the SSL example provided by boost::asio library. My question is about the certifacte used by client and server. To be specific, I generated a private key(mykey.pem). Then I used this private key to generate a self-signed certificate(mycert.pem) and I used these files as follow:
Server side:
1)context_.use_certificate_chain_file("mycert.pem", error);
context_.use_private_key_file("mykey.pem", boost::asio::ssl::context::pem, error);
context_.use_tmp_dh_file("dHParam.pem",error);
Client side:
2)ctx.load_verify_file("mycert.pem",error);
With this code the handshake is done perfectly. My question is that how come both the server and client use the same certificate ("mycert.pem") in commands 1 and 2? With this approach a client can pretend to be a server easily.right? Do you think that I missed something here?
The certificate is public information.
It's the private key that allows the entity to prove its identity. The client is guaranteed by the SSL/TLS handshake that only the party with the private key matching the public key in the server certificate can be at the other end with the suitable master secret, so as to be able to decipher the communication. The problem it addresses is whether or not the remote party is indeed the one to which the certificate was issued. (This is similar to checking that the picture on the photo ID matches the person in front of you.)
Configuration of the certificate (and not the private key) on the client side is there to tell it which certificates you are willing to trust. The problem it addresses is whether or not to trust what the certificate say (in particular what it says about the identity of the server). This is normally done using a PKI, so as to build trust via 3rd parties (the CAs). (This is similar to checking that the photo ID itself is genuine, and that you can trust what it says.)
What you've done by trusting this specific server certificate is bypass the use of CAs to make an exception and indicate you were willing to trust this particular certificate to be genuine. (This is fine for a handful of certificates, but using a CA allows your trust structure to be more manageable and add other features, such as the ability to revoke certificates.)
I am somewhat confused as to how two-way SSL works. How does the client create its certificate to send to the server? Is it generated from the server and distributed to the client?
Also, what is the advantage of two-way SSL over one-way SSL?
Both certificates should exist prior to the connection. They're usually created by Certification Authorities (not necessarily the same). (There are alternative cases where verification can be done differently, but some verification will need to be made.)
The server certificate should be created by a CA that the client trusts (and following the naming conventions defined in RFC 6125).
The client certificate should be created by a CA that the server trusts.
It's up to each party to choose what it trusts.
There are online CA tools that will allow you to apply for a certificate within your browser and get it installed there once the CA has issued it. They need not be on the server that requests client-certificate authentication.
The certificate distribution and trust management is the role of the Public Key Infrastructure (PKI), implemented via the CAs. The SSL/TLS client and servers and then merely users of that PKI.
When the client connects to a server that requests client-certificate authentication, the server sends a list of CAs it's willing to accept as part of the client-certificate request. The client is then able to send its client certificate, if it wishes to and a suitable one is available.
The main advantages of client-certificate authentication are:
The private information (the private key) is never sent to the server. The client doesn't let its secret out at all during the authentication.
A server that doesn't know a user with that certificate can still authenticate that user, provided it trusts the CA that issued the certificate (and that the certificate is valid). This is very similar to the way passports are used: you may have never met a person showing you a passport, but because you trust the issuing authority, you're able to link the identity to the person.
You may be interested in Advantages of client certificates for client authentication? (on Security.SE).
What you call "Two-Way SSL" is usually called TLS/SSL with client certificate authentication.
In a "normal" TLS connection to example.com only the client verifies that it is indeed communicating with the server for example.com. The server doesn't know who the client is. If the server wants to authenticate the client the usual thing is to use passwords, so a client needs to send a user name and password to the server, but this happens inside the TLS connection as part of an inner protocol (e.g. HTTP) it's not part of the TLS protocol itself. The disadvantage is that you need a separate password for every site because you send the password to the server. So if you use the same password on for example PayPal and MyPonyForum then every time you log into MyPonyForum you send this password to the server of MyPonyForum so the operator of this server could intercept it and try it on PayPal and can issue payments in your name.
Client certificate authentication offers another way to authenticate the client in a TLS connection. In contrast to password login, client certificate authentication is specified as part of the TLS protocol. It works analogous to the way the client authenticates the server: The client generates a public private key pair and submits the public key to a trusted CA for signing. The CA returns a client certificate that can be used to authenticate the client. The client can now use the same certificate to authenticate to different servers (i.e. you could use the same certificate for PayPal and MyPonyForum without risking that it can be abused). The way it works is that after the server has sent its certificate it asks the client to provide a certificate too. Then some public key magic happens (if you want to know the details read RFC 5246) and now the client knows it communicates with the right server, the server knows it communicates with the right client and both have some common key material to encrypt and verify the connection.
In two way ssl the client asks for servers digital certificate and server ask for the same from the client. It is more secured as it is both ways, although its bit slow. Generally we dont follow it as the server doesnt care about the identity of the client, but a client needs to make sure about the integrity of server it is connecting to.