Can SSL sockets be used to identify clients? What i am thinking of is, can i configure an SSL socket to only accept connections from clients that have a certificate that i create beforehand?
+2
A:
Typically SSL is used only when the server is authenticated (the client knows the server's identity), but the client remains unauthenticated or anonymous. But SSL can be easily used for authentication of clients. The only requirement is that client also holds a certificate. By verifying a client's certificate against Certification Authority you can authenticate your client.
Alexey Kalmykov
2010-02-13 00:29:50
You do not even need the client certificates to be signed by certification authorities, if you trust them.Server certificates are typically unknown to the user before-hand, so some trusted authority (whatever that means) signs them for him.
2010-02-13 03:36:33
@andi5: good point. You would have to populate the server's truststore with all the client certificates. This should be easy to do for reasonable numbers of clients. Otherwise, it is probably easier to be your own CA, and then you only need to put your home-grown CA certificate in the server's truststore and make sure you sign every client cert with this CA certificate.
GregS
2010-02-13 17:46:55
+1
A:
NB it can't be a certificate that you create. By the nature of PKI the client has to create his own private key and certificate.
EJP
2010-02-15 00:22:35
That's the normal case, but it depends on your threat model.If you don't need non-repudiation (the client doesn't care that the maintainer of the server can impersonate him) then the server can create the certificate.
Darron
2010-02-15 00:50:11
(a) How does a private key known to more than one party identify one of them uniquely? (b) How does a private key and certificate issued over the channel you are authenticating authenticate the channel?
EJP
2010-04-09 23:06:14