Re: SSL Client authendication

Mon, 30 Oct 2006 06:14:27 -0800 

Eshwaramoorthy Babu wrote:


Hi,

We have a JAVA SSL client talking to HTTP Server.


The server side ssl is working fine. Now we are planning to use client 
authendication(server authendicating client).



I spoke to the certificate provider (comtrust) regerding this. He 
suggested me to purchace a user certificate.
They also said for this user certificate private key is not required.  
I just need to submit online form from their website. No csr is required.



NowI will not be having private key in client's certificate store 
instead I will only have the User certificate from comtrust.

Will the above work??


My understanding is the certificate store should also have the private 
key.



Of course client certificates are also issued for a public/private key 
pair and (usually) need some kind of CSR. The only technical difference 
between client and server certificates is which data is included in the 
X509 certificate.



But if you are using standard browsers it is considerably simpler to 
issue client certificates, since the process of generating a key pair 
and the corresponding CSR can be automated in a web application. So the 
user just goes to a web page, enters his/her data into a form and 
presses a Button (and maybe answers some "Are you sure" dialogs) to 
generate a key and CSR, which is then stored internally by the browser. 
And after the certificate is generated it can be imported by pointing 
the Browser to a specific URL.
Somehow it can be said that there is no CSR since the user never gets to 
see one. ;)



One thing to remember when using such techniques is, that the new 
certificate can only imported by "exactly" the same browser (usually the 
same browser on the same computer and the same user account) where the 
initial request has been made. And if you need the same certificate on 
another computer you probably have to export the certificate on the one 
computer and import it on the other one. Or use a server stored 
certificate storage.


Thanks,
Babu


Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to