SSL/TLS client certificates questions

1337

I want to setup a test, connect to a host over https but also using a SSL/TLS client certificate. So not just a certificate to authenticate server but also one to authenticate the client.

This is something new to me so I have some question that I hope you guys knows to the answer to.

How can the client certificate be generated? Should it be self-signed or should it be a certificate that belongs to the users domain, for example great-company.com?

I'm thinking about using this for server to server communication but for testing is it possible to add a client certificate to a standard browser as well, firefox, chrome etc?

How would you use this at scale? Would you generate one certificate for every server/user?

What happens if the client has an outbound webproxy? Does the client SSL certificate get lost?

1337

Looking around for examples of using client certificates I found that CloudFlare uses it:
https://developers.cloudflare.com/access/service-auth

They call it mTLS (Mutual TLS).

It seems to be a common name for it.

EddieJennings

I remember the now defunct Startcom CA did something like this for logging into their site to manage your certificates with them. Other than general curiosity, is there a particular problem you're trying to solve through this?

scottalanmiller

@EddieJennings said in SSL/TLS client certificates questions:

I remember the now defunct Startcom CA did something like this for logging into their site to manage your certificates with them. Other than general curiosity, is there a particular problem you're trying to solve through this?

Basically, think of passwords vs keys in SSH. Same difference, but in websites.

1337

@EddieJennings said in SSL/TLS client certificates questions:

I remember the now defunct Startcom CA did something like this for logging into their site to manage your certificates with them. Other than general curiosity, is there a particular problem you're trying to solve through this?

I was just looking at different authentication options for having customers (and myself) download files from our servers. Not as regular users but as admins from within an ssh session or from a script.

I wanted something as easy as fetching a script with wget but protected from unauthorized access.

Then I came across client certificates which I didn't know about. And thought that it could be useful for many things, especially unattended server to server communication over https.

1337

@scottalanmiller said in SSL/TLS client certificates questions:

@EddieJennings said in SSL/TLS client certificates questions:

I remember the now defunct Startcom CA did something like this for logging into their site to manage your certificates with them. Other than general curiosity, is there a particular problem you're trying to solve through this?

Basically, think of passwords vs keys in SSH. Same difference, but in websites.

That's exactly what I was thinking.

EddieJennings

@scottalanmiller said in SSL/TLS client certificates questions:

@EddieJennings said in SSL/TLS client certificates questions:

I remember the now defunct Startcom CA did something like this for logging into their site to manage your certificates with them. Other than general curiosity, is there a particular problem you're trying to solve through this?

Basically, think of passwords vs keys in SSH. Same difference, but in websites.

True. From what I remember, that's exactly what the scenario was.

flaxking

Domain name doesn't matter, unless you're signing with a public CA. I'd think self-signed vs internal CA vs public CA would depend on what the authentication mechanism supports and how you have to manage the certificates. (i.e. if there are going to be a ton of them it might be easier for the authentication mechanism just to trust certificates signed by a certain internal CA rather than having to make each certificate trusted.

1337

@flaxking said in SSL/TLS client certificates questions:

Domain name doesn't matter, unless you're signing with a public CA. I'd think self-signed vs internal CA vs public CA would depend on what the authentication mechanism supports and how you have to manage the certificates. (i.e. if there are going to be a ton of them it might be easier for the authentication mechanism just to trust certificates signed by a certain internal CA rather than having to make each certificate trusted.

From what I've seen so far, I've come to the same conclusion.