Menu Show

SSL: A Client Certificate vs Server Certificate

Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00)

How client vs server certificates are used for authentication

As of 2018, most website owners are acutely aware of server SSL certificates. Client SSL certificates? Not so much. And that’s a shame because client SSL certificates can play a critical security function for larger organizations — provided they know how to effectively deploy them. What’s the difference between a client certificate vs a server certificate, and how is each used? Let’s check it out.

Comparing the Use of a Server Authentication Certificate vs Client Authentication Certificate

In this article, we’ll give an overview of the two different types of SSL certificates and what their intended use cases are. The first two sections will address the question “What is a client certificate vs server certificate?” before moving on to provide use case examples of client SSL certificates and how they’re authenticated.

What’s a Server SSL Certificate?

99% of the time when you hear someone mention an SSL/TLS certificate, they’re referring to the server variation. These certificates accomplish two things:

  1. They authenticate the entity that they’ve been issued to, and
  2. They facilitate secure HTTPS connections.

There are three different validation levels associated with server certificates: domain, organization, and extended. They’re intended to assert varying level of identity based on the needs of the site(s). There are also different types of certificates that vary by use-case: single domain, multi-domain, and wildcards.

SSL Certificate with Comodo Secure Logo

Single Domain SSL Certificates — Save Up to 85%!

Tip: You can typically save a significant amount by buying your SSL certificate direct instead of through your web hosting company. We sell all Comodo single domain SSL certificates at up to 85% off.

Shop for Single Domain SSL Certificates

The idea behind a server SSL certificate is simple: When a web user arrives, the server sends the user’s browser the certificate. The user’s browser then verifies the authenticity of the certificate — which, in turn, verifies the organization or website that owns the certificate. The certificate also binds a public/private key pair that can be used for exchanging secure session keys to the website or server.

What’s a Client SSL Certificate?

A client certificate is a digital certificate used by a person/device to authenticate their identity to a remote server while making an online request. A server can rely on the client certificate to establish trust before responding to the request.

Remember all the stuff we just discussed with encryption and sharing session keys? Yeah, forget about it now. Client SSL certificates are issued entirely for the authentication of the party that owns them. They’re most commonly deployed to Internet of Things (IoT) devices, which is why they’re sometimes called IoT certificates, but they also can be used with smartphones, tablets, laptops — you name it. Anything that connects to the internet.

Positive SSL Certificate

Positive SSL is the best value basic SSL certificate

If you’re looking for a basic SSL certificate that provides strong encryption for your website, Comodo’s Positive SSL is the best value.
Buy A Positive SSL – 84% Off


What is the Use Case for Client SSL Certificates?

The simple answer? Two-factor authentication. Two factor authentication (2FA) requires two of the following three things: something you have, something you know, or something you are. The password is what you know. Typically, what you have is proven via an SMS message code or clicking a link in an email.

A client SSL certificate handles the “something you have” requirement simply by residing on the device. When you use SSL/TLS for two-factor authentication, the device you’re connecting with is authenticated at the outset of the connection — when the password is entered. If either fails, the connection fails. Otherwise, an encrypted connection ensues.

This is especially useful in large enterprise environments where paying for physical random number generators (RNGs) or some other mechanism is cost prohibitive. Instead, you can automate your certificate management platform to issue new device certificates to any device that’s given network access. From there, anytime the employee tries to access gated portions of the network, their certificate will be authenticated before establishing the connection.

How is a Client SSL Certificate Authenticated?

Any time an SSL/TLS certificate is involved in a connection, a handshake ensues. During the handshake, the client will examine the certificate and authenticate its validity. It does this by verifying the signature, following the certificate chain, and checking CT logs and revocation lists. Provided all this checks out, the certificate is trusted.

When a client SSL certificate is involved, the authentication that occurs during the handshake goes both ways. Client SSL certificates also have a public/private key pair associated with them — though, in this case, it’s entirely for authenticating the signature, not encryption. The server handles the encryption. But it also uses the client certificate’s public key to verify the issuing CA’s signature and runs the same sets of validity checks.

Provided mutual authentication is achieved, the connection continues unabated.

Client SSL certificates are a fast, affordable way to handle two-factor authentication without ever having to invest in hardware.