Sending Client certificates in web browser

StackOverflow https://stackoverflow.com/questions/20270733

Question

Does a web browser send client certificates to the web server on demand (means the web server is configured for client authentication and demands the client certificate) or does it just send all of the certificates that it has? If web browser sends client certificate on demand, then how does the web browser know which client certificate to sent to that particular web server?

Was it helpful?

Solution

I put my question on https://security.stackexchange.com/ and got this answer from @gowenfawr:

During the SSL handshake,

If the server requires a digital certificate for client authentication,
the server sends a "client certificate request" that includes a list of
the types of certificates supported and the Distinguished Names of
acceptable Certification Authorities (CAs).

(quote is from a reasonably lucid explanation of the SSL handshake by IBM.)

The client then compares the certificates in its store against that list to see if it has any signed by the CAs that the server listed. If it finds one, it will send it, usually after prompting the user whether they want to send it. Presumably if there were multiple matches it would ask the user which to send (if any).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top