ServerA and ServerB are the web servers. ServerA wishes to communicate with ServerB. Can ServerA use its server certificate as a client certificate during mutual authentication ?
Asked
Active
Viewed 8,117 times
6
-
What has this got to do with Tcl? – Donal Fellows Aug 01 '11 at 08:09
1 Answers
8
SSL certificates are really identities. The difference between a client certificate and a server certificate is that a client certificate identifies a person (or the software acting on their behalf) and a server certificate identifies a service (or the machine hosting that service). Cryptographically, you can use either as the actual client side identity of an SSL connection, but the other side (the server on that particular connection) has to accept the certificate; most people don't put the Distinguished Name of servers into the database of acceptable identities. There's also the Extended Key Usage constraints that might or might not be present; if present, they could enforce the separation between server and client certificates (don't hack things to ignore policy requirements, please!) but I've no idea if that will actually apply to your situation. The rules there are a bit intricate.
In short: you can do it, but is it a good idea?
Community
- 1
- 1
Donal Fellows
- 133,037
- 18
- 149
- 215
-
Both ServerA and ServerB can act as a consumer as well as a service provider according to their need. So both the servers should have a set of client certificate and server certificate ? – Asur Aug 01 '11 at 09:38
-
I believe it is a server side decision whether they "accept" a server certificate as a client certificate. Can someone suggestion which popular server does that and which does not? – Devs love ZenUML Mar 04 '21 at 06:05