Cryptography - Public Key Authentication (Certificate-based, Sender Verification)


Public key authentication is a authentication method where the keys of the public key scheme are used as authentication credential for:

Authentication is implemented though digital signature which is a functionality of the public key scheme. See digital signature verification.

In a cert-base authentication, a signed certificate (knwon also as the client certificate) is presented to the server that verifies it with the help of its known public keys (called authorized keys)

See also:



  • the private key remains (only) with the user (The possession of this key is proof of the user's identity. Only a user in possession of a private key that corresponds to the public key located at the server will be able to authenticate successfully.
  • the public keys are stored on the server in a file known as the SSH - Authorized Keys file (on Server)

For the procedure. see Digital signature procedure

Key Manager

The KeyManager is a program (or function) that decides which authentication credentials should be sent to the remote host for authentication during SSL handshake.


You can configure an application (such as a web site) so that any user wishing to connect is required to provide:



The private keys are the identity key.

It then need to be stored and handled carefully, and no copies of the private key should be distributed. The private keys used for user authentication are called identity keys.


For instance, once an SSH server receives a public key from a user and considers the key trustworthy, the server marks the key as authorized in its authorized_keys file. Such keys are called authorized keys.






  • The server authenticate him-self to the client by sending a digital certificate (signed normally by a well known trusted CA).
  • The client verifies it


  • Mutual Authentication, in addition to server authentication, the client also has to present its certificate to the server.
  • The server verifies it
  • If both server and client authenticated themselves, then authentication is a success.

Documentation / Reference

Powered by ComboStrap