0

I am using OpenSSL program to generate my SSL self-signed certificate, created a CA certificate and a webserver certificate. The webserver certificate, I have signed it with the CA certificate. I created a keystore with Java's keytool to import webserver's certificate.

On the client side, I have imported the CA certificate inside client's Certificate Manager, under the "Trusted Root Certification Authorities".

In theory, is this way considered as a One way TLS or a Two way TLS communication?

Thank you so much for the help!

xxestter
  • 441
  • 7
  • 19
  • 2
    Your **authentication** is one-way. _Communication_ (aka data) in TLS is always 'two-way' aka full-duplex or fdx, regardless of the authentication. In particular the WWW (HTTPS) uses HTTP (a two-way protocol, hdx or fdx depending on version and options) over TLS/SSL, but there are millions of other uses of TLS/SSL. – dave_thompson_085 Jun 30 '20 at 12:34
  • @dave_thompson_085, Can I check with you? My authentication is not a two-way because I didn't configure any giving of certificate from my browser, Chrome, to my server? I am guessing, please correct me – xxestter Jun 30 '20 at 12:41
  • 1
    Yes. As Pras' answer said, TLS/SSL normally authenticates the server with a cert (and key), which is one-way auth; if you _also_ authenticate the client (including but not limited to a web browser) with a cert (and key), that is two-way auth. – dave_thompson_085 Jul 01 '20 at 01:06

1 Answers1

1

In TLS protocol by default the client validates servers authenticity, the server sends its certificate during the handshake and the client validates it with the CA certificate in its trust store. It is one way setup For two way, during the handshake, the server also asks for certificate from client,it validates the certificate sent by the client with the CA certificate in its trust store. So if you want to use two way setup, you need to generate client CA certificate and client certificate(it will be signed by the client CA certificate), the same CA certificate you need to configure at server so that it(server) will be able to validate the client certificate it received during the handshake. You can also decide to keep same CA certificate for both client and server certificates, making sure client and server certificates are signed by the same CA

Pras
  • 4,047
  • 10
  • 20
  • Hi Pras, Can I just double confirm this sentence ".. and the client validates it with the CA certificate in its trust store", the trust store you meant is the Trusted Root Ceritifcation Authorities inside Window's Certificate Manager (certmgr.msc). May I check how to configure this part "..the server also asks for certificate from client,it validates the certificate sent by the client with the CA certificate in its trust store.." if I am using Java and tomcat as the container. – xxestter Jun 30 '20 at 10:17
  • You need check your client application documentation,if your client is browser, it will use windows certificate store, if its any other program it may be building its trust store differently eg if its using openssl lib it may be calling SSL_CTX_load_verify_locations to load trusted CA certificates for validating server certificates – Pras Jun 30 '20 at 10:29
  • I am not sure whats needed for setting up 2-way in tomcat, you need to consult its documentation – Pras Jun 30 '20 at 10:30
  • Hi Pras, thanks for the help. Thanks for explaining it. – xxestter Jul 01 '20 at 01:53
  • Or e.g. https://stackoverflow.com/questions/59569969/ https://stackoverflow.com/questions/11578054/ https://stackoverflow.com/questions/41384650/ https://stackoverflow.com/questions/27362588/ – dave_thompson_085 Jul 01 '20 at 02:09