0

In a TLS communication I always thought the server would send the public certificate to the client during the handshake process.

However, I received a request from a provider asking us to manually install a certificate in order to initiate a TLS communication with one of their STunnel server.

I'm a bit confuse by this request. Is there's a situation where TLS server would not be able to send the certificate to the client and therefore required a manuel certificate installation?

The_Black_Smurf
  • 5,178
  • 14
  • 52
  • 78
  • TLS can use certificates to identify the remote party. So there could be 0, 1, or 2 certificates needed for any given exchange between 2 entities. Server certificates are the most common cases, specially with HTTPS, but other cases also exist. – Patrick Mevzek May 03 '20 at 16:07

1 Answers1

3

There are two cases where a certificate installation is needed on the client side:

  • The server is using a certificate not issued by a public CA, i.e. self-signed or issued by a private CA. In this case the client must import the certificate or CA up front and install it as trusted.
  • The server is requiring client authentication based on certificates, i.e. not only the server authenticates to the client with a certificate but also the client to the server (instead or additionally to typical passwords). In this case the client has to get a client certificate and matching key and import so that it can be used for authentication.

It is unclear which of these cases is the one you are dealing with.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • I suppose it depends somewhat on how [stunnel](https://www.stunnel.org/) works. – President James K. Polk May 01 '20 at 22:49
  • @PresidentJamesMoveonPolk: It does not depend on how stunnel works in general but on the specific configuration, i.e. which certificates are used in stunnel and if client certificates are required. It is actually irrelevant if the endpoint is stunnel or some web server or mail server or whatever - only the used and required certificates matter. – Steffen Ullrich May 02 '20 at 04:17