What is a client certificate authentication ? (SSL/TLS Web)

About

Client certificate authentication is a certification based authentication mechanism where the client identifies itself to the server by sending a signed certificate.

A Client certificate is also known as:

  • end-user certificate.
  • device certificate

The server just needs to verify the certificate to authenticate the client.

This is part of the SSL handshake.

Because a client certificate is a keystore that contains

it's also known as a identity certificate

Because of the private key, it should be passphrase protected and is therefore generally stored in a p12 keystore

In the certificate usages (extended), this authentication is also known as the SSL/TLS Web Client Authentication or client authentication for short.

Usage: Two-factor

Multi-Factor Authentication (Mfa / 2fa): You can configure an application (such as a web site) so that any user wishing to connect is required to provide:

Configuration

The configuration is the inverse of the server one.

In a server configuration,

  • the server has:
    • its signed certification
    • and its own private key
  • the client has the trusted certificate authority.

while in a client configuration:

  • the client has:
    • its signed certification
    • and its own private key
  • the server has the trusted certificate authority.

Nginx Example

See for instance for nginx: How to configure certification based client authentication with Nginx ?

How to revoke a client certificate ?

A revoked certificat is a certificat that is in a list containing all revoked certificat. See the following page for revocation management: How to revoke a certificat with the Certificate Revocation List (CRL) ?

Certificate Data

A client certificate has the following extensions:

How to test/debug/ check a client certificate ?

See How to debug / test a TLS / SSL connection ?

How to create/issue?

See How a certificate is signed ? (known also as issuing or producing)





Discover More
Certificate Validity Period Not Before Not After Portecle
CA Certificate

A CA certificate is a certificate used by a certificate authority to sign certificate. In the chain, it's the Root certificate or the intermediate certificates. Most organizations create an intermediate...
Certificate Validity Period Not Before Not After Portecle
How a certificate is signed ? (known also as issuing or producing)

This article talks how a certificate: is send by a sender (known also as the owner) and gets its signature from a trusted ca to validate the identity of the sender. By signing a certificate, the...
400 Default Page No Required Ssl Certificate
How to configure certification based client authentication with Nginx ?

This article shows you how to configure a client authentication via the ownership of a certificat on a Nginx web server. The server should be already configured for HTTPS as client certificate (client...
Download Jdbc Cassandra
How to connect to Cassandra Cloud AstraDb with JDBC ?

This article shows you how you can connect to an AstraDb database with Jdbc. Download the JDBC driver at datastax Create a new driver with...
Ssl Test Server Www
How to debug / test a TLS / SSL connection ?

This article shows you how to see a SSL connection (handhsake) to debug any problem with configuration for: a server authentication or client authentication Check your firewall. Your port should...
Web Site Certificate
How to enable SSL on a server (ie HTTPS on a web server) ?

This page shows you how to configure a certificate and a private key for a server in order to enable SSL or a web server (http) (ie web site) in order to enable https (ie HTTP over SSL).
Certificate Validity Period Not Before Not After Portecle
Identification Material - X.509 Certificate (or Public Key Certificate) - Crt

A certificate is a document which permits to define with certainty the owner of the private key (ensures that the party you are communicating with is whom you think.) because it's digitally signed A certificate...
Certification Chain Path Chrome Dev
Root Certificate

A root certificate is a CA certificate that is located at the top of the certificate chain. A root ca is a certificate authority certificate that is self signed. This example shows you how to create...
SSL - Handshake (Negociation)

This page describes the TLS handshake process. The TLS handshake process is the first step in a SSL connection where the two parties (client and server): verifies the identity of each other via certification...
Certificate Usage
What are the possible usages of a cryptographic certificate?

A certificate may have one or more several usages. This articles list them and show you how to discover the usage also known as certificat purpose. extensions A certificate can be used for one or...



Share this page:
Follow us:
Task Runner