1

When implementing Mutual TLS using https://learn.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-5.0 I see they are comparing the thumbprint of the client certificate to the thumbprint of the server certificate. But are these always guaranteed to be the same in production? Doesn't one only contain the public key and the other contains both the private and public keys? And if that was the case, wouldn't they have different thumbprints?

user1178376
  • 928
  • 2
  • 10
  • 24
Andrew
  • 152
  • 12
  • `I see they are comparing the thumbprint of the client certificate to the thumbprint of the server certificate` -- can you please quote this place? I didn't find it. Comparing client and server certificates is pointless because these two are always different. – Crypt32 Jun 03 '21 at 18:52
  • @Crypt32 Search for "MyCertificateValidationService". – Andrew Jun 03 '21 at 18:54

1 Answers1

2

I found your point there and here is the answer, one paragraph before

Because the same self-signed certificate is used in this example, ensure that only your certificate can be used.

for some reason they chose to use same certificate for server and client (maybe for simplicity?) which is indeed a *BAD* practice in real world. Sharing same certificate between different entities never was a good idea. Client and server certificates must be different.

Certificate-based client authentication is more difficult, because you need to have a an account directory to validate client certificate against. For example, Active Directory. This directory should implement certificate <-> principal mapping. When you receive the certificate, you search for principal in directory and if found, you can uniquely distinguish clients, validate their permissions, rights and perform logging.

If no mapping found -- reject authentication, because you don't know the client.

If you don't care in distinguishing clients, then you clearly don't need mutual authentication.

And never hardcore client certificates/thumbprints in code, because they are periodically changed, therefore external account directory (which is updated using out-of-band process) is necessary.

Though, you can implement the logic when arbitrary clients can connect to your server only when they have certificate issued by your private CA. It is valid scenario. In this case, you don't need external account directory and you validate that client certificate is issued by exact, or by one of pre-defined CAs in the list, then you allow subsequent communication. But they still are anonymous to your system.

Edits based on your additions:

If your case fits last paragraph, then:

  • validate general chain (i.e. time validity, extensions, revocation, etc.)
  • validate that immediate issuer is in the explicit list of approved by you CAs (private)
Crypt32
  • 12,850
  • 2
  • 41
  • 70
  • So you are saying instead of `if (clientCertificate.Thumbprint == cert.Thumbprint)` I should do `if (clientCertificate.Issuer == cert.Issuer)`? Is that enough, or are there any other properties of [X509Certificate2](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2?view=net-5.0) I should use? – Andrew Jun 03 '21 at 19:27
  • My scenario matches your last paragraph. I don't care who the client is if they present an approved certificate. – Andrew Jun 03 '21 at 19:30
  • Issuer compare is OK only when you need to restrict access to some group where you can't distinguish individuals. – Crypt32 Jun 03 '21 at 19:30
  • I've updated my answer with bottom section. – Crypt32 Jun 03 '21 at 19:37
  • Is it right to say that in order to uniquely distinguish each client requires an ability to connect to active directory/LDAP and may also require customization to the out-of-the box TLS implementation available in standard web/application servers, let's say for thumbprint check? Are there any web servers that provide this feature by default? – user1178376 Sep 22 '21 at 16:59