How vì you strengthen a server"s user authentication system? Well, one solution would be khổng lồ simply add another authentication method. Most servers authenticate users through the usual username-password technique. If you can augment that with another method, you"ll be able lớn make it more difficult for unauthorized users to lớn break in. For servers whose users connect through Web browsers, one option would be something called client certificate authentication. Let"s explore what this is.Bạn vẫn xem: Authentication certificate là gì


Why Add Another Method Of Authentication?

When used properly, like when you enforce svào passwords and keep them secret, username-password login systems can actually provide an adequate layer of security. Unfortunately, in the real world, password best practices are rarely enforced.

Bạn đang xem: Authentication certificate là gì

When that happens, username/password login systems become quite vulnerable. There are also cases when, in spite of strong password policies, password authentication systems can still fall lớn a skilled & persistent attacker. Passwords can be compromised through brute force attacks or a variety of social engineering techniques.

One way to strengthen user authentication on your VPS is lớn augment password authentication with another khung of authentication. You see, authentication can be implemented in different ways or factors:

By asking information only the user should know (a password or a passphrase)By asking something only the user should have in his possession (use a private key and a public key, SSL certificate or card, or a digital certificate)By asking for something that"s physically part of the user (a thumbprint or retinal scan)

When you combine two factors of authentication (something the user knows AND something the user has), the result is 2-factor authentication. You can also combine more factors & come up with a multi-factor authentication.

Combining two or more factors of authentication makes it significantly more difficult for an attacker khổng lồ succeed. That"s what happens when you augment password authentication with client certificate based authentication. If an impostor manages to acquire a user"s username & password, he would still have to lớn overcome another challenge — getting hold of something that"s supposed to be in the possession of that user. That is the client certificate.

Getting hold of either one — a username/password or a ssl/tls certificate — can already be quite difficult. Using both makes it exponentially more difficult?

What Is A Client Certificate?

A client digital certificate or client certificate is basically a file, usually protected with a password và loaded onkhổng lồ a client application (usually as PKCS12 files with the .p12, .pfx, .pem extension).

Note: For those familiar with SFTPhường. keys, client certs are similar lớn them.

Your certificate would typically contain pertinent information like a digital signature, expiration date, name of client, name of CA certificate (Certificate Authority), revocation status, SSL/TLS version number, serial number, & possibly more, all structured using the X.509 standard.

At the start of a SSL or TLS session, the hệ thống (if configured to lớn bởi vì so) may require the client application to submit a client certificate for authentication. Upon receiving the certificate, the server would then use it to identify the certificate"s source & determine whether the client should be allowed access.

Popular Web browsers lượt thích Firefox, Chrome, Safari, và Internet Explorer can readily support client certificates. These digital certificates can also be loaded unto lớn secure tệp tin transfer clients lượt thích AnyClient as well as to lớn other client applications that support SSL/TLS-protected protocols like HTTPS, FTPS, WebDAVs, & AS2.


Don"t confuse client certificates with hệ thống certificates. Both are digital certificates that involve client và server applications but they"re two different things. A VPS certificate is sent from the server to lớn the client at the start of a session and is used by the client to lớn authenticate the VPS. A client certificate, on the other h&, is sent from the client to lớn the server at the start of a session and is used by the hệ thống to lớn authenticate the client.

Xem thêm: Dịch Vụ Logistic Là Gì ? Chuỗi Dịch Vụ Logistics Chủ Yếu Bao Gồm Những Gì

Of the two, VPS certificates are more commonly used. In fact, it"s integral lớn every SSL or TLS session. Client certificates are not. They"re rarely used because:

They have khổng lồ be installed on client machines/applications (making them tedious for system admins) andMost client kết thúc users are non-technical & don"t want lớn be bothered.

Today, however, with ever-growing threats on the Web, it would be wise to lớn employ client certificate authentication for sensitive sầu Web sessions.

If you want to know how clients (Web browsers in particular) authenticate servers using server certificates, I suggest you read the post An Overview of How Digital Certificates Work.

As soon as you"re done with that, let"s discuss how client certificate authentication works.

How Client Certificate Authentication Works

Client certificate authentication (if ever applied) is carried out as part of the SSL or TLS handshake, an important process that takes place before the actual data is transmitted in a SSL or TLS session. Here"s a simplified illustration that includes that part of the process.


First, the client performs a "client hello", wherein it introduces itself to lớn the VPS và provides a phối of security-related information.The VPS responds with its own "VPS hello", which is accompanied with its hệ thống certificate & pertinent security details based on the information initially sent by the client.This is the optional step that initiates client certificate authentication. This will only be carried out if the VPS is configured to request a digital certificate from the client for the purpose of authentication.Before this step is performed, the client inspects the hệ thống certificate for authenticity. If all goes well, it transmits additional security details & its own client certificate.

Only after both hệ thống và client have sầu successfully authenticated each other (in addition to lớn other security-related exchanges) will the transmission of data begin.

We know from the blog article, An Overview of How Digital Certificates Work, how the client is able to validate the hệ thống certificate & authenticate the hệ thống. So how does the server authenticate the client?

Just like in hệ thống certificate authentication, client certificate authentication makes use of digital signatures. For a client certificate to lớn pass a server"s validation process, the digital signature found on it should have sầu been signed by a CA recognized by the hệ thống. Otherwise, the validation would fail.

Xem thêm: Shark Tank Thương Vụ Bạc Tỷ

Get Your Free Trial

Would you lượt thích to try this yourself? MFT Server is platform-agnostic and can be installed on Microsoft Windows, Linux, Mac OS X & Solaris, và can handle any tệp tin transfer protocol as well as multiple protocols from a single hệ thống. Additionally, enables you to handle any file type, including batch files và XML. Download your không tính tiền 7-day trial of MFT Server now.


Related Content

How To Create A Client CertificateHow To Setup An AS2 Server With A QuickStart GuideThree Ways To Generate OpenPGPhường KeysSetting Up SFTP.. Public Key Authentication On The Command Line