SSL Client Certificates
We all know that an SSL server certificate's Common Name contains the domain that's being protected. But what is in the Common Name of an SSL client certificate? All I can find is that it is the "identity" of the entity that owns the certificate, which is very vague. I know that if the client cert is used to authenticate to a mail server, then the email address is typically used as a Common Name. How about authenticating to a web server? Is there any specification for this, or is it up to the server maintainer to decide what a "valid identity" is?
[562 byte] By [
smithsaa] at [2007-11-26 21:04:36]
# 1
The Distinguished Name (DN) of the client certificate can be any approved DN-component, of which Common Name (CN) is just one of them. The actual Subject DN will be determined by the policy established by the company for its Public Key Infrastructure (PKI), which issue digital certificates.
One can use most forms of DN's to authenticate to a server that expects SSL Client Authentication. However, servers expect specific components in the client's digital certificate, each of which can be completely different based on the expectations of the server.
The definitive reference for the contents of a digital certificate is in this RFC: http://www.ietf.org/rfc/rfc3280.txt (and its corresponding updates which you can find at http://www.ietf.org/html.charters/pkix-charter.html). Books on PKI may be more user-friendly to read. One that I recall from many years ago is "Secure Electronic Commerce". I don't remember the authors/publisher, but once you get past the legal sections of the book, the technical stuff is very readable. Consultants who are familiar with PKI can also help, of course :-).
