SSL self-signed certificate one-way or two-wayTLS

0
votes

I am using OpenSSL program to generate my SSL self-signed certificate, created a CA certificate and a webserver certificate. The webserver certificate, I have signed it with the CA certificate. I created a keystore with Java's keytool to import webserver's certificate.

On the client side, I have imported the CA certificate inside client's Certificate Manager, under the "Trusted Root Certification Authorities".

In theory, is this way considered as a One way TLS or a Two way TLS communication?

Thank you so much for the help!

1
sslopenssltls1.2
Your authentication is one-way. Communication (aka data) in TLS is always 'two-way' aka full-duplex or fdx, regardless of the authentication. In particular the WWW (HTTPS) uses HTTP (a two-way protocol, hdx or fdx depending on version and options) over TLS/SSL, but there are millions of other uses of TLS/SSL.dave_thompson_085
@dave_thompson_085, Can I check with you? My authentication is not a two-way because I didn't configure any giving of certificate from my browser, Chrome, to my server? I am guessing, please correct mexxestter
Yes. As Pras' answer said, TLS/SSL normally authenticates the server with a cert (and key), which is one-way auth; if you also authenticate the client (including but not limited to a web browser) with a cert (and key), that is two-way auth.dave_thompson_085

1 Answers

1
votes

In TLS protocol by default the client validates servers authenticity, the server sends its certificate during the handshake and the client validates it with the CA certificate in its trust store. It is one way setup For two way, during the handshake, the server also asks for certificate from client,it validates the certificate sent by the client with the CA certificate in its trust store. So if you want to use two way setup, you need to generate client CA certificate and client certificate(it will be signed by the client CA certificate), the same CA certificate you need to configure at server so that it(server) will be able to validate the client certificate it received during the handshake. You can also decide to keep same CA certificate for both client and server certificates, making sure client and server certificates are signed by the same CA