Your client needs to have a certificate issued by a CA that the server trusts, and the server must request client authentication by name-of-CA-that-it-will-accept. The client can then provide its certificate (it knows which one based on the requested issuer name) and prove ownership of the private key that goes with the public key in the certificate, thus authenticating.
The root certificate that issued the server's certificate needs to be in your client's local roots directory in order for the client to authenticate the server (not just 'in order for the client to authenticate TO the server', since the client will not attempt to authenticate if the server does not authenticate to the client). If it doesn't have it, then the authentication will fail. You can (generally, but not always) obtain the root certificate from the chain that the server sends to a query with 'openssl s_client -connect host:port -showcerts'; however, this may be subject to a MITM attack and you should verify the root independently before adding it willy-nilly to the client's roots directory. -Kyle H On Fri, Jun 20, 2008 at 1:05 AM, AlokBhatnagar <[EMAIL PROTECTED]> wrote: > Hi, > > I have created my test client and server application. For that i also > created a Root CA Certificate and using that certificate i created client > and server certificates. Using those certificates the handshaking has been > done between the client and server and they are communicating properly. > > Now i want my client application to communicate with an actual server. > > So i want to know how will my client authenticate the server since i don't > have the server's root certificate? > > Thanks in Advance.. > > Regards > Alok Bhatnagar > -------------------------------------------------------------------------------- > Subscribe to MicroWorld's free security newsletter @ > http://www.mwti.net/support/newsletter_subscribe.asp > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
