For two way verification is it necessary to import certicate from both sides?
+4
A:
The short answer is no, you don't need it.
Instead of importing each side's certificate, what should be imported in both client and server is CA certificate, so when server or client certificate change you don't need to import them again, and that allows the the server not to import all the client certificates.
Another authentication measure almost everybody forgets when implementing some kind of authentication based on certificates is how to check them for validity. You should not only check that the certificate has not expired and that it is valid (it is correctly signed by trusted CA), but also check that the certificate has not been revoked (imagine that sb has leaked its own private key and his certificate shouldn't be trusted anymore).
To check for revoked certificates the most common methods are OCSP, that has less overhead when checking a single certificate but it needs permanent online conectivity to a OCSP server (it could be own CA) or to import periodically published CRL.
Fernando Miguélez
2009-01-09 07:57:37