Client Certifcate v/s Server Certifcate..Please Guide

[luthriaajay]

1) I have created my own Server Certificate with the keytool command,
and my client application is sending sensitive data over https to
a Servlet.

2) Now,if the Servlet is sending back sensitive information back to the client :

2.a) How do I create a Client Certificate so that the server can trust it?
2.b) Where do I store the client certificate?
Do I store the client certificate in the cacerts file?

Normally,all server certificate are stored in the cacerts file so that
the client can trust the server certificate,right?

Now,I would like to create a client certificate and store it,so that
the server can trust it before sending data back to my application.

Please can any guide me.

ajay

ajayluthria@hotmail.com

 

[chiph]

Your customer creates/buys a certificate. It gets sent to you as part of the http header from their web browser. Your webserver can then verify it's authenticity with the certificate authority so that you'll know it's really them.

Chip H.

 

[Crundy]

Can't you just use a server SSL certificate between the client and your server? Then you don't inconvenience your users by forcing them to get a client certificate C:\DOS:>
C:\DOS:>RUN
RUN DOS RUN!!

 

[Guest_imported]

Hey man server certificates are for certificate auhentication no client authentication e.g. anyone can impersonate the client.

Although this is true using client certificates is not an easy chore. Usually client certs are password proteced (the private keys) and thus may require the client to enter his password several times.
Thus most people would use client certs only for authentication and transfer of session credentials afterwards the server cert is used only.

E.g. for web application the submit of the login will go through client certificate authentication and then all of the rest of the content shall be available through a connection which is protected only by a server cert

 

[luthriaajay]

Hello SPHIX,

CAN U BE A BIT MORE SPECIFIC PLEASE

 

[chiph]

OK, server certificates are there to serve two purposes:
1 - encrypt the traffic (SSL)
2 - prove the site is who you think it is

Client certificates serve one purpose (AFAIK):
3 - prove the client is who you think it is

#1 is easy -- everyone does https/ssl all the time. No biggie.

#2 is what most people do not do when visiting a secured part of a site -- how many people double-click on the lock icon to verify a site's certificate is valid?

#3 - There has to be code written for this -- the web server has to request the client's certificate, and then make calls to verify that the client's certificate is valid. I think you can set options for this in some of the newer web servers, save you some time.

Chip H.
Error on line 9: Object of type SIGNATURE expected

 

[ansti]

Hello!
We are trying to create our own Server Certificate, but it dosn't work, do you have great tip that you kan give us?
We have a key and we have a certificate but we can't bind them.