4

Is CA certificate same client certificate?

If not how can I get client certificate? If yes how can I use it as client certificate?

Sorry for the dumb question.

Thanks in advance.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
lil
  • 336
  • 7
  • 19

1 Answers1

3

Server cert or client cert are just certs, they only have different properties. Everyone in the certification tree (including the end-users, and certificate issuers) has a certificate, usually X509 Certificate.

The certification authorities are on a tree structure (the depth of the tree is not fixed):

Root certication authority of a country (level 0)
  Certification authority 1 (level 1)
    Certification authority 1.1 (level 2)
      End-user 1.1.1 
      End-user 1.1.2
      ...
    Certification authority 1.2 (level 2)
    ... 
  Certification authority 2 (level 1)
  ...

The certificate of end-user is signed by the certification authority at the leaf of the tree. And each certification authority also has a certificate which is signed by the parent certification authority.

The certificate of the root certification authority (level 0) is signed by this root CA itself.

Take 1 example: Certification authority A has a child certification authority B, and the certification authority B issues a cert for end-user C.

For this example: the cert that B is holding and the cert that C is holding are different. The B's cert is signed by A, the C's cert is signed by B. And these certs are definitely different also, because the contents of certs are different.

And regarding how to get a certificate, there are 2 ways: (1) find a certification authority and ask them to buy a cert, (2) use certificate generation software to create your own cert. However, the cert issued by a CA has validity by law, the one generated by yourself can't be used to sign anything legally, and thus the cert generated by yourself can be used as a test cert only.

A certificate file (.cer, .p12, etc.) can be imported to browser; for the Chrome Browser: open 'Settings' --> 'Advanced' --> 'HTTPS/SSL' --> 'Manage certificates' --> 'Import'. The file .cer is X509 certificate (no private key), the file .p12 is PKCS12 certificate (containing private key). Not all certificates are trusted by browser; only those certs issued by a CA in a certification tree which has the root CA known by browser are trusted.

jondinham
  • 8,271
  • 17
  • 80
  • 137
  • 1
    We have a server certificate from CA which when checked it can be used for client authentication. Do we need to buy client certificate to use it for authentication. – lil Jan 18 '13 at 06:03
  • for testing purpose, you can generate certificates for your clients from your server. the generated cert files would be .p12 files which are signed using your server cert. after that, send these .p12 files to your client for authentication. – jondinham Jan 18 '13 at 06:15
  • (and of course, your server cert issued by CA can be used for authentication to other services as long as these services accept this cert). bear in mind that server cert or client cert are just certs, they only have different properties. – jondinham Jan 18 '13 at 06:22
  • 1
    Do we need to install the certificate on all browser of client computer whom we would like to give access(authenticate)? – lil Jan 18 '13 at 07:01
  • most likely all browsers will use the same cert store of client machine operating system so importing using 1 browser is enough – jondinham Jan 18 '13 at 07:34
  • 1
    We have a certificate issued by godaddy, it is in the server Can we distribute it (.cer is X509 certificate) as client certificate(without private key) for authentication? – lil Jan 18 '13 at 10:04
  • x509 (.cer) doesn't contain private key which means it can't be used to sign or encrypt. for authentication (like login, logout, etc), .p12 is required due to a reason that p12 file has both private key + public key. – jondinham Jan 18 '13 at 11:50
  • 1
    Thank you paul, currently I am assigning seperate ip for subdomain. I hope I can resolve my issue with your help. – lil Jan 20 '13 at 05:54