Reputation: 150624
Using a server-side certificate for client-side authentication
Supposed I have a scenario with a web browser and two servers: The first server (web) is internet-facing, the second (worker) is an internal one. Internally web uses worker, but every request from the outside is received by web.
So you always have:
browser -> web -> worker
Now I want to secure both connections using SSL:
webshall use a server-side certificate the browser can validate.workershall use a server-side certificatewebcan validate.webshall use a client-side (!) certificateworkercan validate.
In this scenario: Is it okay to re-use the server-side certificate of web as client-side certificate for worker, or is it better to use two individual certificates?
Are there any best practices I should watch out for?
Upvotes: 1
Views: 1322
Answers (1)
Reputation: 46050
There are two aspects here: security aspect and "technical" aspect.
Technical aspect is that the certificate KeyUsage and ExtKeyUsage extensions of the certificate are different for server-side and client-side certificate. Worker will inspect the value of those extensions and complain. This will happen unless you implement custom validator on the worker (in which case any certificate you want will work).
Security aspect is that if the private key leaks for whatever reason, having different certificates (and so private keys) increases security to certain extent.
Upvotes: 2
Related Questions
- Apache Client Certificates for Authentication
- Client Certificate Authentication in SSL Handshake
- SSL certificate for client
- Setting up client side certificate for mutual authentication
- HTTPS client - certificate
- Generating client side certificates in browser and signing on server
- Using client certificates in place of passwords on a public web app
- Use Server Certificate As Client Certificate
- Client side SSL certificate for a specific web page
- Client-side SSL theoretical question