About
Client certificate authentication is a certification based authentication mechanism where the client identifies itself to the server by sending a signed certificate.
A Client certificate is also known as:
- end-user certificate.
- device certificate
The server just needs to verify the certificate to authenticate the client.
This is part of the SSL handshake.
Because a client certificate is a keystore that contains
- and a private key
it's also known as a identity certificate
Because of the private key, it should be passphrase protected and is therefore generally stored in a p12 keystore
In the certificate usages (extended), this authentication is also known as the SSL/TLS Web Client Authentication or client authentication for short.
Usage: Two-factor
Multi-Factor Authentication (Mfa / 2fa): You can configure an application (such as a web site) so that any user wishing to connect is required to provide:
- a valid client certificate (something you have - certificate).
- and valid user name and password. (something you know - password)
Configuration
The configuration is the inverse of the server one.
In a server configuration,
- the server has:
- its signed certification
- and its own private key
- the client has the trusted certificate authority.
while in a client configuration:
- the client has:
- its signed certification
- and its own private key
- the server has the trusted certificate authority.
Nginx Example
See for instance for nginx: How to configure certification based client authentication with Nginx ?
How to revoke a client certificate ?
A revoked certificat is a certificat that is in a list containing all revoked certificat. See the following page for revocation management: How to revoke a certificat with the Certificate Revocation List (CRL) ?
Certificate Data
A client certificate has the following extensions:
- No basicConstraints extension or the CA value should be to false
- extendedKeyUsage of clientAuth
How to test/debug/ check a client certificate ?
How to create/issue?
See How a certificate is signed ? (known also as issuing or producing)