Ask the Expert

Digital certificates and SSL

For using SSL, does the client side need to have a digital certificate (X.509v3)? If so, then why can I access secure Web sites from my computer that seemingly does not have a certificate? If it is not needed, then how does the client send its public key across to the secure server?


    Requires Free Membership to View

No, you do not need a certificate to use SSL. If you have one, it can be used to authenticate you to the server, but if you don't, then some other mechanism (like a password) can be used.

When you set up an SSL connection, usually, a Diffie-Hellman key exchange is done, but each side can actually negotiate how it is done.

You can find all the rules for how this is done in RFC 2246, the IETF standardization of SSL called Transport Layer Security. You can find this at http://www.ietf.org/rfc/rfc2246.txt.


For more information on this topic, visit these other SearchSecurity.com resources:
Ask the Expert: Finding the answers to specific SSL questions
News & Analysis: OpenSSL expert details flaws


This was first published in September 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: