With Two-Way SSL, both client and server authenticate each other to ensure that both parties involved in the communication are trusted. In this mutual authentication process, the client and server share their public certificates with each other and based on that the verification/validation is performed. This technique is often used to grant specific parties access to a website or portal, where the website owner controls which certificates (thus users) can have access.
How does Two-Way SSL work?
The authentication message exchange between client and server is called an SSL handshake, and it includes the following steps:
- The client requests access to the protected resource.
- The server responds to the client with its certificate, and requests the public certificate from the client.
- The client verifies the server's certificate and sends the clients certificate info to the server if succesful.
- The server verifies the client’s credentials.
- If successful, the server grants access to the protected resource requested by the client.
As described in step 4, the server validates the client, which is the second part of the Two-Way SSL (Mutual Authentication) process. This is typically done by making sure that the client certificate is valid (non-expired and issued by a trusted Certificate Authority), as well as the client’s digital signature is valid. The digital signature is produced using the private key from the client. Anyone that has the public key can validate the digital signature. (However, only the client that has the private key can create a valid signature.)
Two-Way SSL methods
You can use different methods for this type of authentication. Most common is client authentication based on the thumbprint or subject of the certificate which is installed on the client. The thumbprint or subject of this certificate will be saved on the server, so the server knows who can pass the authentication.
Another way to use client authentication is based on the Trusted Issuer of the certificate. For example; a trusted issuer signs a certificate which is installed on the client. The server recognizes the issuer of the certificate and approves the authentication. The negative side of this method is that anyone with a certificate signed by the trusted issuer can access your server.
To realize Two-Way SSL authentication, you need a certificate that contains the Key Usage TLS Web Client Authentication certificate. A TLS Web Client Authentication compatible client or SSL certificate can be purchased separately. In most cases, the website or portal may use any regular SSL certificate, and the clients use a client certificate. Both certificate types contain the right key usage.