SSL client authentication
Client authentication is similar to server authentication except that the server requests a certificate from the client to verify that the client is who it claims to be. The certificate must be an X.509 certificate and signed by a certificate authority trusted by the server. You can only use client authentication when a server requests a certificate from a client. Not all servers support client authentication.
When a server requests a certificate, the client has the option
to send a certificate or attempt to connect without it. The server
allows the connection if the client's certificate can be trusted.
When a client attempts to connect without a certificate, the server
might grant the client access but at a lower security level, as illustrated
by the following sequence of events:
- The client sends a request for an SSL session to the server.
- The client receives the server's certificate and checks its list of trusted CA's. Since the server's certificate is signed by a trusted certificate authority, the client accepts the certificate. The server then asks the client for a certificate that identifies the client.
- The client responds by sending a certificate or by trying to establish a session without one.
- If the client sends a certificate, the server checks its list of trusted certificates. If the client can be trusted, the secure session is established. If the client does not send a certificate, normally the server terminates the session.