Must server and client certificate be signed by same CA in SSL










0















I am trying to understand the relationship between the client and server in the context of an SSL connection. Am I correct in understanding that the fact that the same certificate authority (me - in example below) sign both server and client certificate makes that they can communicate. Thus, that the server only accepts communication when client authenticates with client certificate signed by the same CA as the server certificate, and this is essential to the idea of an SSL connection?



(script underneath comes directly from http://blog.nategood.com/client-side-certificate-authentication-in-ngi)



# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr

# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

server {
 listen 443;
 ssl on;
 server_name example.com;

 ssl_certificate /etc/nginx/certs/server.crt;
 ssl_certificate_key /etc/nginx/certs/server.key;
 ssl_client_certificate /etc/nginx/certs/ca.crt;
 ssl_verify_client on;





ssl nginx openssl ca







share|improve this question

















  • 1





    No. The client needs to trust the CA that signed the server certificate and the server needs to trust the CA that signed the client certificate.

    – Richard Smith
    Nov 12 '18 at 18:47











  • But is it possible to setup a connection using server and client certificate that are signed by a different CA? So, when client en server cert. share nothing in common...

    – Niels
    Nov 12 '18 at 18:56











  • How is that 'trust' visible in the scipts I presented?

    – Niels
    Nov 12 '18 at 18:57






  • 1





    Same CA, different CA, makes no difference. The ssl_client_certificate directive tells the server which client CA to trust and the browser's certificate manager contains all of the server CAs that the browser trusts.

    – Richard Smith
    Nov 12 '18 at 20:15















0















I am trying to understand the relationship between the client and server in the context of an SSL connection. Am I correct in understanding that the fact that the same certificate authority (me - in example below) sign both server and client certificate makes that they can communicate. Thus, that the server only accepts communication when client authenticates with client certificate signed by the same CA as the server certificate, and this is essential to the idea of an SSL connection?



(script underneath comes directly from http://blog.nategood.com/client-side-certificate-authentication-in-ngi)



# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr

# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

server {
 listen 443;
 ssl on;
 server_name example.com;

 ssl_certificate /etc/nginx/certs/server.crt;
 ssl_certificate_key /etc/nginx/certs/server.key;
 ssl_client_certificate /etc/nginx/certs/ca.crt;
 ssl_verify_client on;





ssl nginx openssl ca







share|improve this question

















  • 1





    No. The client needs to trust the CA that signed the server certificate and the server needs to trust the CA that signed the client certificate.

    – Richard Smith
    Nov 12 '18 at 18:47











  • But is it possible to setup a connection using server and client certificate that are signed by a different CA? So, when client en server cert. share nothing in common...

    – Niels
    Nov 12 '18 at 18:56











  • How is that 'trust' visible in the scipts I presented?

    – Niels
    Nov 12 '18 at 18:57






  • 1





    Same CA, different CA, makes no difference. The ssl_client_certificate directive tells the server which client CA to trust and the browser's certificate manager contains all of the server CAs that the browser trusts.

    – Richard Smith
    Nov 12 '18 at 20:15













0












0








0








I am trying to understand the relationship between the client and server in the context of an SSL connection. Am I correct in understanding that the fact that the same certificate authority (me - in example below) sign both server and client certificate makes that they can communicate. Thus, that the server only accepts communication when client authenticates with client certificate signed by the same CA as the server certificate, and this is essential to the idea of an SSL connection?



(script underneath comes directly from http://blog.nategood.com/client-side-certificate-authentication-in-ngi)



# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr

# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

server {
 listen 443;
 ssl on;
 server_name example.com;

 ssl_certificate /etc/nginx/certs/server.crt;
 ssl_certificate_key /etc/nginx/certs/server.key;
 ssl_client_certificate /etc/nginx/certs/ca.crt;
 ssl_verify_client on;





ssl nginx openssl ca







share|improve this question














I am trying to understand the relationship between the client and server in the context of an SSL connection. Am I correct in understanding that the fact that the same certificate authority (me - in example below) sign both server and client certificate makes that they can communicate. Thus, that the server only accepts communication when client authenticates with client certificate signed by the same CA as the server certificate, and this is essential to the idea of an SSL connection?



(script underneath comes directly from http://blog.nategood.com/client-side-certificate-authentication-in-ngi)



# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr

# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

server {
 listen 443;
 ssl on;
 server_name example.com;

 ssl_certificate /etc/nginx/certs/server.crt;
 ssl_certificate_key /etc/nginx/certs/server.key;
 ssl_client_certificate /etc/nginx/certs/ca.crt;
 ssl_verify_client on;





ssl nginx openssl ca




ssl nginx openssl ca






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 12 '18 at 18:14









NielsNiels

14510




14510







  • 1





    No. The client needs to trust the CA that signed the server certificate and the server needs to trust the CA that signed the client certificate.

    – Richard Smith
    Nov 12 '18 at 18:47











  • But is it possible to setup a connection using server and client certificate that are signed by a different CA? So, when client en server cert. share nothing in common...

    – Niels
    Nov 12 '18 at 18:56











  • How is that 'trust' visible in the scipts I presented?

    – Niels
    Nov 12 '18 at 18:57






  • 1





    Same CA, different CA, makes no difference. The ssl_client_certificate directive tells the server which client CA to trust and the browser's certificate manager contains all of the server CAs that the browser trusts.

    – Richard Smith
    Nov 12 '18 at 20:15












  • 1





    No. The client needs to trust the CA that signed the server certificate and the server needs to trust the CA that signed the client certificate.

    – Richard Smith
    Nov 12 '18 at 18:47











  • But is it possible to setup a connection using server and client certificate that are signed by a different CA? So, when client en server cert. share nothing in common...

    – Niels
    Nov 12 '18 at 18:56











  • How is that 'trust' visible in the scipts I presented?

    – Niels
    Nov 12 '18 at 18:57






  • 1





    Same CA, different CA, makes no difference. The ssl_client_certificate directive tells the server which client CA to trust and the browser's certificate manager contains all of the server CAs that the browser trusts.

    – Richard Smith
    Nov 12 '18 at 20:15







1




1





No. The client needs to trust the CA that signed the server certificate and the server needs to trust the CA that signed the client certificate.

– Richard Smith
Nov 12 '18 at 18:47





No. The client needs to trust the CA that signed the server certificate and the server needs to trust the CA that signed the client certificate.

– Richard Smith
Nov 12 '18 at 18:47













But is it possible to setup a connection using server and client certificate that are signed by a different CA? So, when client en server cert. share nothing in common...

– Niels
Nov 12 '18 at 18:56





But is it possible to setup a connection using server and client certificate that are signed by a different CA? So, when client en server cert. share nothing in common...

– Niels
Nov 12 '18 at 18:56













How is that 'trust' visible in the scipts I presented?

– Niels
Nov 12 '18 at 18:57





How is that 'trust' visible in the scipts I presented?

– Niels
Nov 12 '18 at 18:57




1




1





Same CA, different CA, makes no difference. The ssl_client_certificate directive tells the server which client CA to trust and the browser's certificate manager contains all of the server CAs that the browser trusts.

– Richard Smith
Nov 12 '18 at 20:15





Same CA, different CA, makes no difference. The ssl_client_certificate directive tells the server which client CA to trust and the browser's certificate manager contains all of the server CAs that the browser trusts.

– Richard Smith
Nov 12 '18 at 20:15












1 Answer
1






active

oldest

votes


















1














The short answer is No. These are two separate aspects.
Here:



ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;


You are configuring the server certificates which need to be trusted by the client.
Here:



ssl_client_certificate /etc/nginx/certs/ca.crt;


You configure the certification authority to verify your clients' certificates against.






share|improve this answer






















    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53267866%2fmust-server-and-client-certificate-be-signed-by-same-ca-in-ssl%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    The short answer is No. These are two separate aspects.
    Here:



    ssl_certificate /etc/nginx/certs/server.crt;
    ssl_certificate_key /etc/nginx/certs/server.key;


    You are configuring the server certificates which need to be trusted by the client.
    Here:



    ssl_client_certificate /etc/nginx/certs/ca.crt;


    You configure the certification authority to verify your clients' certificates against.






    share|improve this answer



























      1














      The short answer is No. These are two separate aspects.
      Here:



      ssl_certificate /etc/nginx/certs/server.crt;
      ssl_certificate_key /etc/nginx/certs/server.key;


      You are configuring the server certificates which need to be trusted by the client.
      Here:



      ssl_client_certificate /etc/nginx/certs/ca.crt;


      You configure the certification authority to verify your clients' certificates against.






      share|improve this answer

























        1












        1








        1







        The short answer is No. These are two separate aspects.
        Here:



        ssl_certificate /etc/nginx/certs/server.crt;
        ssl_certificate_key /etc/nginx/certs/server.key;


        You are configuring the server certificates which need to be trusted by the client.
        Here:



        ssl_client_certificate /etc/nginx/certs/ca.crt;


        You configure the certification authority to verify your clients' certificates against.






        share|improve this answer













        The short answer is No. These are two separate aspects.
        Here:



        ssl_certificate /etc/nginx/certs/server.crt;
        ssl_certificate_key /etc/nginx/certs/server.key;


        You are configuring the server certificates which need to be trusted by the client.
        Here:



        ssl_client_certificate /etc/nginx/certs/ca.crt;


        You configure the certification authority to verify your clients' certificates against.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 13 '18 at 1:28









        Nikolay DimitrovNikolay Dimitrov

        871811




        871811



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53267866%2fmust-server-and-client-certificate-be-signed-by-same-ca-in-ssl%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Kleinkühnau

            Image
            Kleinkühnau Stadt Dessau-Roßlau 51.839444444444 12.184444444444 57 Koordinaten: 51° 50′ 22″  N , 12° 11′ 4″  O Höhe: 57 m Fläche: 9,93 km² Einwohner: 1649  (31. Dez. 2011) Bevölkerungsdichte: 166 Einwohner/km² Eingemeindung: 1. Oktober 1923 Eingemeindet nach: Dessau Postleitzahl: 06846 Vorwahl: 0340 Rathaus (Amtshaus Kühnau e. V.) Ev. Kirche Kleinkühnau Kleinkühnau ist ein Stadtteil von Dessau-Roßlau, einer kreisfreien Stadt im Bundesland Sachsen-Anhalt. Er liegt ungefähr vier Kilometer westlich des Stadtzentrums. Südlich der Kühnauer Straße befinden sich der Flugplatz Dessau, das Technikmuseum Hugo Junkers sowie der Standort der Polizeidirektion Sachsen-Anhalt Ost. Kleinkühnau hat 1649 Einwohner (Stand 31. Dezember 2011). Inhaltsverzeichnis 1 Geschichte 1.1 Bevölkerungsentwicklung 2 Siehe auch 3 Weblinks 4 E...
            Read more

            Makov (Slowakei)

            Image
            Makov Wappen Karte Makov Basisdaten Staat: Slowakei Kraj: Žilinský kraj Okres: Čadca Region: Kysuce Fläche: 46,052 km² Einwohner: 1.720 (31. Dez. 2017) Bevölkerungsdichte: 37 Einwohner je km² Höhe: 583  m n.m. Postleitzahl: 023 56 Telefonvorwahl: 0 41 Geographische Lage: 49° 22′  N , 18° 29′  O 49.366666666667 18.483333333333 583 Koordinaten: 49° 22′ 0″  N , 18° 29′ 0″  O Kfz-Kennzeichen: CA Kód obce: 509299 Struktur Gemeindeart: Gemeinde Verwaltung (Stand: November 2014) Bürgermeister: Martin Pavlík Adresse: Obecný úrad Makov 60 02356 Makov Webpräsenz: www.makov.sk Statistikinformation auf statistics.sk Makov (ungarisch Trencsénmakó – älter auch Makó , polnisch Maków ) ist eine Gemeinde in der Nordwestslowakei. Inhaltsverzeichnis 1 Geographie 1.1 Bevölkerung 2 Ge...
            Read more

            Deutsches Schauspielhaus

            Image
            Deutsches Schauspielhaus Hamburg Aktie über 1000 Mark der Deutsche Schauspielhaus AG vom 20. Juni 1899 Das Deutsche Schauspielhaus im Hamburger Stadtteil St. Georg ist mit 1200 Plätzen das größte Sprechtheater Deutschlands. Entstanden ist es durch eine private Initiative von Bürgern und der 1899 gegründeten „Aktiengesellschaft Deutsches Schauspielhaus“. Die Pläne stammen von dem Wiener Architekturbüro Fellner und Helmer, die das neobarocke Gebäude nach dem Vorbild des Wiener Volkstheaters gestalteten. Am 15. September 1900 wurde das Theater mit einer Aufführung der Iphigenie auf Tauris feierlich eröffnet. Der Name Deutsches Schauspielhaus knüpft an die Tradition des Hamburger Nationaltheaters an, das Mitte des 18. Jahrhunderts durch Hamburger Bürger betrieben wurde und an dem Gotthold Ephraim Lessing als Dramaturg tätig war. Das Schauspielhaus hat die Theatergeschichte der Stadt im 20. Jahrhundert entsc...
            Read more