Philipp Hancke wrote: > why does the client generate the certificate? Sending a CSR to the > server and signing it there (which may take a long time) seems > easier from the certificate managment point of view.
IMHO it is more complicated. Why doing a complex CSR (which as you wrote may take a long time) when a client can upload a certificate. The client is trusted when doing so and the certificate only has to work between these two. > And it results in a certificate signed by an entity that the server > trusts. Well, the server can trust the client with its own certificate. But you raise an interessting point: what do others think? CSR or the other way. Alexey already wrote that he prevers not to deal with CSR. Dirk -- A mathematician is a machine for converting coffee into theorems.
