August 4th, 2011, 09:42 AM
Role of certificate chain for client certificate authentication
I have a two server setup where the two servers communicate with each other over SSL. The SSL connection requires mutual authentication.
The SSL handshake happens successfully if both the server certificates have Server Authentication & Client Authentication in their Key Usage. However, if one of the server certificates has only Server Authentication as its Key Usage then the other server rejects this certificate with an error. This is expected.
The puzzling behavior is that if I use a certificate that is set for Server Authentication only but with its full certificate chain containing all intermediate & root CA certificates, the same certificate is accepted as a valid client certificate by the other server.
Is there a difference in the validation mechanism for client certificates if the full chain of the client certificate is present?