What is the difference between an X.509 "client certificate" and a normal SSL certificate?
I am setting up a web service through which my company will talk to a number of business customers' services. We will be exchanging information using SOAP. I would like to handle authentication with SSL certificates provided by both parties, but I'm a bit lost on whether there's a fundamental difference between the types of certificates.
When people talk about HTTPS, they talk about getting an SSL certificate from Verisign or another authority. When they talk about client-side authentication, they talk about getting an X.509 certificate. Are these two words for the same thing, can one be turned into the other, or is some other difference that I'm not grasping?
An X509 Certificate is a type of public key in a public/private key pair. These key pairs can be used for different things, like encryption via SSL, or for identification. SSL Certificates are a type of X509 certificate. SSL works by encrypting traffic as well as verifying the party (Verisign trusts this website to be who they say they are, therefore you probably could too). Verisign acts as a Certificate Authority (CA). The CA is trusted in that everything that it says should be taken as truth (Running a CA requires major security considerations). Therefore if a CA gives you a certificate saying that it trusts that you are really you, you have a user certificate/client certificate.
Some of these types of certificates can be used across the board, but others can only be used for certain activities.
If you open a certificate in Windows (browse to something over SSL in IE and look at the certificate properties) or run certmgr.msc and view a certificate, look at the Details tab > Key Usage. That will dictate what the certificate is allowed to do/be used for.
For SOAP, the certificate can be used for two things: identification and encryption. Well, three if you include message signatures (message hashing).
Client certificates identify the calling client or user. When the application makes a SOAP request, it hands the certificate to the web service to tell it who is making the request.
Ah, neat, so all SSL certs are x509 certs, which means that I can just grab an SSL cert from Verisign and use it for client requests. An X509 cert doesn't necessarily have usage set to allow for identity or authentication, though. Cool, thanks!
@CaptainAwesomePants, you may be able to use the SSL cert from Verisign as a client cert. If the key usage doesn't include Client Authentication, then it probably won't be accepted for client authentication.
Nice answer. But your intro is a confusing misstatement: "An X509 Certificate is a type of public/private key pair." If the private key was in there, you couldn't publish it.... Could you fix that?
@nealmcb updated. You are correct, however in the .NET dev world, an X509Certificate can contain the private key as well. I think thats why I wrote what I did.