I would like to understand what happens in a request which includes a .pfx certificate to authenticate to client to the server. I know how to implement this in python or use it in postman, but I don't understand what happens in the background. In which part (header, body) of the request is the certificate included?
Asked
Active
Viewed 1,359 times
1 Answers
1
The certificate is presented as part of the TLS handshake.
During the handshake, it the server is configured to require a client certificate it will send a CertificateRequest message, the client will then respond with a Certificate message containing your .pfx certificate.
It is not presented as part of the HTTP request
- Client sends ClientHello message proposing SSL options.
- Server responds with ServerHello message selecting the SSL options.
- Server sends Certificate message, which contains the server's certificate.
- Server requests client's certificate in CertificateRequest message, so that the connection can be mutually authenticated.
- Server concludes its part of the negotiation with ServerHelloDone message.
- Client responds with Certificate message, which contains the client's certificate.
- Client sends session key information (encrypted with server's public key) in ClientKeyExchange message.
- Client sends a CertificateVerify message to let the server know it owns the sent certificate.
- Client sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
- Client sends Finished message to let the server check the newly activated options.
- Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
- Server sends Finished message to let the client check the newly activated options.
mgh42
- 254
- 3
- 4