Saturday, May 22, 2010

The difference between a client and server SSL certificate

So what is the difference between client and server Secure Sockets Layer (SSL) certificates? Although client certificates and SSL server certificates both use certificates, they are not directly related to each other. SSL server certificates provide encryption and security functionality. Client certificates provide user authentication functionality. The client certificate identifies the user, the server certificate identifies the server.

Here is the technical difference between the two. The difference lies in the Certificate Extensions. The X.509 standard defines what information can go into a certificate, and describes how to write it down (the data format). X.509 Version 3 is the most recent (1996) and supports the notion of extensions.

This tech note by Mozilla describes the Certificate Extensions in detail. But here are the extensions which are necessary for a client certificate:

basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth


If you want to know how to create such a client certificate, see my last blog entry.

2 comments:

  1. I was not aware of the difference in client certificates and SSL server certificates.But you wrote a nice blog to clarify the concept.Thanks
    digital signature

    ReplyDelete
  2. So at what condition we can use Server certificate and Client Certificate.Can we use these two certificate indiviusaly..

    Thanks,
    Sanjay

    ReplyDelete