Thanks. I think I get it. Charles
-----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Monday, August 27, 2012 10:19 AM To: openssl-users@openssl.org Subject: Re: Why key file in *client* certificate situation? On 8/27/2012 3:46 PM, Charles Mills wrote: > I'm just trying to understand the SSL protocol -- this is not an > alleged bug > > or an "issue." > > > In OpenSSL s_client, or for that matter, in my client test program, an > > attempt to use a *client* certificate fails unless I also specify -key > or > > call SSL_CTX_use_PrivateKey_file(). > > > Why? What role does the private key play with a *client* certificate? > My > > understanding -- admittedly perhaps flawed -- is that the role of a > client > > certificate is solely to authenticate the client. Isn't that role > complete > > with just a CA-signed certificate? There's no encryption based on the > client > > certificate, right? So what role does the key play? If none, why does > > OpenSSL fail without it? > > Basic principle: A certificate is not secret, it is a public statement by a CA that a public key matches a private key belonging to a certain person or other entity. So just sending the client *certificate* to the server would prove nothing and is not useful as authentication. Just as handing someone a (paper) business card doesn't prove it is *your* business card. Signing some part of the SSL exchange with the clients private key and sending along the certificate to tell the server what the public key is and as proof of what identity is proven by the signature does prove a lot. So that is what SSL does. And that is why an SSL client needs the private key of the client certificate (if any). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
