[syslog-ng] Syslog-ng mutual self cert authentication
PÁSZTOR György
pasztor at linux.gyakg.u-szeged.hu
Fri Jan 15 11:42:58 CET 2016
Hi,
"Ivan Adji - Krstev" <akivanradix at gmail.com> írta 2016-01-15 11:18-kor:
> You mean the cacert.pem or the servercert.pem ? and vice versa ?
The servercert.pem is the cert pair for the key what the server has.
The (server)cert is the "public" part of the key, and the key file is the
private part.
The servercert is signed with the cacert. As far as I saw your example, you
defined different CA for signing the servercert, and do that separately to
sign the client's cert.
So the ca, what you have created to sign the server's csr (so, after the
signing it become a cert), is the one which should be published to the
client side ca dir.
So when the tls handshake happens, the client sees that whups, here is a
server cert. Cheks in the cert the issuer's fingerprint.
Based on the fingerprint it will find the CA's cert in it's local ca dir.
Check if that signature is valid, and client is happy.
The same will happen on the server side simmetrically:
The client will show up its own cert.
The server sees, it is signed with the other ca. (The one, which you used
to sign the client cert.)
Based on the fingerprint, it start to check if it is available in its ca
dir.
If you install that there, and the appropriate symlink is also available,
then it will also find that ca cert. It will check if the client
certificate is valid.
It will be.
Both side will be happy, and communicate gladly inside an encrypted
channel.
Was this description clear?
Kind regards,
Gyu
More information about the syslog-ng
mailing list