Intuitively, you have to know that the client needs it's private key for something. Since the public key certificate is public, it alone can't prove that the client is you. Anyone can send your certificate to a server, right?
In practice, the server walks the certificate chain, which proves that the certificate is cryptographically valid. It then sends a challenge to the client, which the client signs with its private key. Once the server verifies the signature using the client public key, it knows that the client is you (only if it trusts the certificate chain.). > If the client sends the server its certificate (public key) and the > server validates the signature against the list of CA's to see if the > client is authenticated/valid then my question is... if the client is > not going to use the private key for signing does it even NEED the > primary key AT ALL? Can it be deleted? -- Ken Goldman [EMAIL PROTECTED] 914-784-7646 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]