Client Certificate Authentication (Part 1)
Here is a screenshot describing the SSL/TLS Handshake:
- Client sends CLIENT HELLO as described in the above image
- Upon receiving the CLIENT HELLO, if the server is configured for Client Certificate Authentication, it will send a list of Distinguished CA names & Client Certificate Request to the client as a part of the SERVER HELLO apart from other details depicted above.
-
Upon receiving the Server Hello containing the Client Certificate request & list of Distinguished CA names, the client will perform the following steps:
- The client uses the CA list available in the SERVER HELLO to determine the mutually trusted CA certificates.
- The
client will then determine the Client Certificates that have been issued by the mutually trusted Certification Authorities. - The client will then present the client certificate list to the user so that they can select a certificate to be sent to the Server.
NOTE:
|
-
Upon selection, the client responds with a
- ClientKeyExchange message which contains the Pre-master secret
- Certificate message which contains the Client certificate
(Doesn’t contain the private key). - CertificateVerify
message, which is used to provide explicit verification of a client certificate. This message is sent only if the Client Certificate message was sent. The client is authenticated by using its private key to sign a hash of all the messages up to this point. The recipient verifies the signature using the public key of the signer, thus ensuring it was signed with the client’s private key. Refer RFC 5246 for more details.
- Post this Client & Server use the random numbers and the Pre-Master secret to generate symmetric (or Master) keys which will used for encrypting & decrypting messages for further communication.
- Both respond with ChangeCipherSpec indicating that they have finished the process.
- SSL Handshake stands completed now and both the parties own a copy of the master key which can be used for encryption and decryption.