|
What is 2-way SSL and the difference between one and two way
Hi
Ive been setting up SSL certificates for a while (standard SSL and wildcards), but now i need to set up some two-way SSL certificates. Im not asking for that someone should explain all about what the differences between one and two-way SSL are, but does someone have a great/good guide that explains what it is and maybe how to set it up? Its going to be used with apache. All help is appericiated as always. |
well google has plenty of hits, some interesting looking PDF docs there
http://www.google.co.uk/search?hl=en...G=Search&meta= Also the standard apache howto's are useful... http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html |
Thank you for spending your time answering, but did you really think that i didnt google first? Do i always have to type in the first post that i have been googling? I see that there are some very minimal explainations of what two-way ssl (yes there are a lot more, but thats pretty much on regular ssl or two-way with use in app. servers) are in the results (and yes, ive tried serveral search terms) and that wont give me a full understanding of it..but i could probably use that..but the problem is that i cant find any _good_ guide or a guide at all about how to setup two-way ssl from scatch. I mean, do you order it the same way like a regular standard ssl certificate ..and if you have to order it like a regular certificate..where do you go from there.. whats different.. im kinda looking for a guide that _explains_ and wants you to _understand_
|
well you said you wanted some guides so i pointed you to some guides... within apache it's pretty trivial to configure a client side certificate requirement... There's no specific "two way" setup, it's just multiple things which work in isolation to each other. Again, another guide which seems to cover it all off pretty well... http://blogs.ittoolbox.com/security/...ificates-11500 do you have specific questions here?
|
Yea, well, thanks for the link, but in the comments on that page they say that the article contains serveral errors and i dont understand what this have to do with "two-way ssl" since he seems to only be talking about regular ssl stuff.
- I am again asking this question since it havent been answered and this was what i wondering (see topic of the thread).. what is the difference between a regular and a two-way certiifcate? - When setting up a two-way certificate, do you then buy a regular certificate at fex. Thawte and install that? - Is a regular ssl certificate and a two-way certificate only different when it comes to fex. the configuration of apache? - Could you explain why someone would want a two-way certificate compared to a regular ? What two-way certificates is seems to be covered poorly pretty much everywhere. |
ok, getting threads crossed... I read the title but your thread then said "i'm not asking for someone to explain the differences..."
anyway. There is no such thing as a two way SSL certificate. There are two certificates involved, but they are essentially seperate. It's only the overall solution and concept that is two way. witin raw config there are two isolated parts - serverside ssl and clientside ssl. If i may, i think your views on the documentation of this being vague is that, as above, in itself it's not a real thing, just a combination of things. And i've not heard of "fex" before... who's or what's that? In terms of motiviation, it's about knowing who your client is to a certain level. Where I work we have an wholesale ISP to whom we report ADSL faults. in order for us to access the site at all we need to provide them with one of their signed certificates in order to prove that we are who we say we are to a given level of confidence. This goes well against the logic of something like a public IP being allowed access. often a private website online will only allow known customer IP addresses to connect to them, but that can be a horrible mess to administer, so instead they can say to customers like us that when we go to their site we must provide them with a valid certificate that they trust, irrespective of where they are. many many other examples of course, but that's one i deal with every day. It's also very common for clustered systems, SOAP/XML interchanges happening over apache, to require both parties involved to require a certificate to ensure mutual trust. |
Ok, that made it a little clearer :)
When it comes to what "fex" means, its just a shortname for the word "for example". So if i understand you correctly, then you have a server that is secured with a regular certificate and you have the client that must use a certificate to authenticate against the server, right? If what im saying here is true, then what kind of certificate is used by the client, is it a self-signed certificate or a certificate bought from a certificate authority (CA) ? ..And how do you authenticate to the server using your client certificate, do you have the certificate installed in the browser.. |
it's whatever certificate that is deemed suitable for the situation. note that there's nothing special about a Thawte certificate in terms of technology, they were simply given implicit trust by much of the security industry. Who's to say you are any less honest then them? maybe you are the one to say that, in which case your systems are free to be configured to accept your signed certificates as well as (or maybe even instead of) commerically signed on.
|
Ok, thanks for the quick reply. How does the client authenticate with the server if its for example a webserver, is the certificate installed in the clients browser ?
|
Yes, you tend to get a popup box saying that the server is requesting a certificate and wants you to choose which one to send it. if you have no certificate, it'll usually just fail silently with a server error.
|
Thanks for your help with this problem acid_kewpie :)
|
| All times are GMT -5. The time now is 02:40 AM. |