What exactly do you include in correctly?
As that entry (rightly) explains, the (or each) server must have a key cert
from a CA
trusted by the client, and the (or each) client must have a key cert from a
CA trusted
by the server. Most clients trust the “well-known” CAs like Verisign and
GoDaddy and
maybe 10-100 more depending on the client and OS. Some servers similarly trust
well-known CAs, but sometimes the organization operating the server also
operates
or links to a particular CA to issue certs to its clients, and the SSL server
trusts that CA.
Most if not all clients and servers can be configured to change which CAs they
trust.
As it says the server must “request” the client cert; this is often a separate
option.
E.g. you must set “request client auth” AND “trust these client CAs: X, Y, Z”.
Often there are several options like request but proceed if a client doesn’t
agree,
or request and refuse to proceed if client doesn’t agree.
It isn’t said explicitly but for most SSL/TLS applications and particularly
HTTPS, the
server cert must correctly name the server, and for most (sane) servers using
client auth
the client cert must correctly name the client.
For both one-way (server) auth and two-way (server+client) auth, if the cert is
issued by
a CA using an “intermediate” or “chain” cert – and certs from well-known CAs do
–
the server or client respectively should be configured with both the entity
cert
AND the correct intermediate cert (or sometimes a few of them). The CAs usually
provide the needed intermediate(s) and instructions for use with common servers,
but you have to pay attention to the instructions and follow them.
(Although if you want to test/debug with commandline s_server, it does NOT
directly support own-chain certs and you must sneak them in via truststore.)
And last, but rarely important, the server cert and the client cert when used
must
be for keys using the same public key algorithm: RSA, ECDSA, DSA, ECDH, or DH.
In practice almost everybody uses RSA and this is not a problem.
You can check these points directly, or you can try making a connection and
if it doesn’t work look at the error(s) or other results that you get (such as
selection of a different client cert you expected).
Do you have a specific problem you want to diagnose?
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Kaushal Shriyan
Sent: Monday, April 21, 2014 10:14
To: openssl-users@openssl.org
Subject: *** Spam *** Verify Two Way SSL Certificates.
Hi,
Is there a way to test if 2 way ssl certs are installed correctly?
More Info :-
http://stackoverflow.com/questions/10725572/two-way-ssl-clarification
Regards,
Kaushal