What exactly do you include in correctly?
As that entry (rightly) explains, the (or each) server must have a key & cert from a CA trusted by the client, and the (or each) client must have a key & cert from a CA trusted by the server. Most clients trust the “well-known” CAs like Verisign and GoDaddy and maybe 10-100 more depending on the client and OS. Some servers similarly trust well-known CAs, but sometimes the organization operating the server also operates or links to a particular CA to issue certs to its clients, and the SSL server trusts that CA. Most if not all clients and servers can be configured to change which CAs they trust. As it says the server must “request” the client cert; this is often a separate option. E.g. you must set “request client auth” AND “trust these client CAs: X, Y, Z”. Often there are several options like request but proceed if a client doesn’t agree, or request and refuse to proceed if client doesn’t agree. It isn’t said explicitly but for most SSL/TLS applications and particularly HTTPS, the server cert must correctly name the server, and for most (sane) servers using client auth the client cert must correctly name the client. For both one-way (server) auth and two-way (server+client) auth, if the cert is issued by a CA using an “intermediate” or “chain” cert – and certs from well-known CAs do – the server or client respectively should be configured with both the entity cert AND the correct intermediate cert (or sometimes a few of them). The CAs usually provide the needed intermediate(s) and instructions for use with common servers, but you have to pay attention to the instructions and follow them. (Although if you want to test/debug with commandline s_server, it does NOT directly support own-chain certs and you must sneak them in via truststore.) And last, but rarely important, the server cert and the client cert when used must be for keys using the same public key algorithm: RSA, ECDSA, DSA, ECDH, or DH. In practice almost everybody uses RSA and this is not a problem. You can check these points directly, or you can try making a connection and if it doesn’t work look at the error(s) or other results that you get (such as selection of a different client cert you expected). Do you have a specific problem you want to diagnose? From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kaushal Shriyan Sent: Monday, April 21, 2014 10:14 To: openssl-users@openssl.org Subject: *** Spam *** Verify Two Way SSL Certificates. Hi, Is there a way to test if 2 way ssl certs are installed correctly? More Info :- http://stackoverflow.com/questions/10725572/two-way-ssl-clarification Regards, Kaushal
