a client certificate

Submitted by admin on Fri, 11/13/2009 - 00:31
  2. introduction
  3. what it is
  4. what it isn't
  5. where it is
  6. history

introduction

(ripped off from Thawte?)

A client cert, also known as a personal certificate, is a digital identity document that can be used to sign digital messages like email and news. It can also be used by other people to encrypt information that is for your eyes only. Once you exchange certificates with your friends or business partners you can correspond over the Internet in complete privacy.

Plenty of CAs offer trial certificates. You can obtain a free client certificate from the Thawte company. It lasts a year. the web server only checks a client cert to make sure it is valid eg. the expiry date has not passed.

what it is

(from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sec_auth_certobtainsrv.asp)

Client certificates are electronic documents that contain information about clients. These certificates, like server certificates, contain not only this information but also public encryption keys that form part of the SSL security feature of IIS. The public keys, or encryption codes, from the server and the client certificates facilitate encryption and decryption of transmitted data over an open network, such as the Internet. For more information on encryption, see About Encryption .

The typical client certificate contains several items of information: the identity of the user, the identity of the certification authority, a public key that is used for establishing secure communications, and validation information, such as an expiration date and serial number. Certification authorities offer different types of client certificates, which contain differing amounts of information, depending on the level of authentication that is required. For more information, see Obtaining Client Certificates .

what it isn't

When a web site uses client certs as an alternative to logging in, extra check code must be added. The extra code checks are to make sure the client certificate belongs to a valid user.

A client cert has nothing to do with server certificates. The server certificate is used to prove to the web browser that the web site is who it says it is, and to encrypt the traffic. This part is managed by the web browser and webserver.

where it is

history