Skip to Content

Understanding Two-Way SSL Authentication and Certificates

Two way SSL, also known as mutual SSL certificates, are SSL certificate where the server and the client, authenticates each other for a more robust security.

Steps for a 2 way SSL handshake process

In Two-Way SSL authentication, the client and server need to authenticate and validate each others identities. The authentication message exchange between client and server is called an SSL handshake, and it includes the following steps:

  1. A client requests access to a protected resource.
  2. The server presents its certificate to the client.
  3. The client verifies the server’s certificate.
  4. If successful, the client sends its certificate to the server.
  5. The server verifies the client’s credentials.
  6. If successful, the server grants access to the protected resource requested by the client.

In step 5 (above), the server validates the client, which is the second part of the Two-Way SSL (Mutual Authentication) process. This is typically done by making sure that the client certificate is valid (non-expired and issued by a trusted Certificate Authority), as well as the client’s digital signature is valid. The digital signature is produced using the private key from the client.

 

SSL Certificates for one-way SSL Authentication

The certificates required are as follows for two-way SSL authentication.  CA X issues the certificate to the SSL or TLS client.  CA Y issues the certificate to the SSL or TLS server.

For one-way ssl authentication, the SSL or TLS server needs:

  • The personal certificate issued to the server by CA Y
  • The server’s private key

The SSL or TLS client needs:

  • The CA certificate for CA Y

SSL Certificates for two-way SSL Authentication

For two way ssl authentication, the server verifies the client’s identity by verifying the client’s digital certificate with the public key for the CA that issued the personal certificate to the client, in this case CA X .

For two-way ssl authentication, the server needs:

  • The personal certificate issued to the server by CA Y
  • The server’s private key
  • The CA certificate for CA X

The client needs:

  • The personal certificate issued to the client by CA X
  • The client’s private key
  • The CA certificate for CA Y