Reputation: 1337
Client Private Key is set as part of client certificate authentication
I'm looking at this example, and I can see that as part of client authentication the user should pass the --key holding the private key used for certificate signing request to the curl command, I'm not sure why this is needed if it's for encryption shouldn't the public key of the server to be used?
Upvotes: 0
Views: 1091
Answers (1)
Reputation:
Having the certificate itself doesn't prove anything. Certificate is never secret, can be shared freely and as such multiple parties could be in a possession of a valid client certificate.
As part of the TLS handshake with mutual authentication, client sends CertificateVerify message to prove it also has the private key matching the certificate it sent in Certificate message before. With TLS server already having client's certificate (and thus its public key), it can verify the signature.
Upvotes: 3
Related Questions
- What is a client key and how to generate one?
- X.509: Private / Public Key
- HTTPS client authentication self signed certificate
- Client Certificate Authentication in SSL Handshake
- HTTPS client - certificate
- How to specify CA private key password for client certificate creation using OpenSSL
- Keys' exchange between server and client
- OpenSSL Client-side Certificate-based Authentication Fails
- SSL Client Certificate authentication
- Missing Client-Certificate´s PrivateKey