Personal Authentication Certificate: What Is a 2 Way SSL Certificate?

A quick guide on what a two way SSL certificate does and how you can use it for mutual authentication

An SSL/TLS certificate is used to secure the data transmission between a user’s browser and the website’s server. When most people talk about these certificates, they’re referring to server certificates, which are used to authenticate servers to clients. However, what if you need to perform client authentication, meaning that you want to authenticate the client to the browser? This is where two way SSL certificates (or “2 way SSL”) come in handy.

Why would I need to use this other type of certificate? Because when both of these types are certificates are used, it facilitates mutual authentication between both parties.

There is one very important thing to know: Unlike a standard SSL certificate, a two way SSL certificate is actually known as a personal authentication certificate (PAC).

But before we jump into exploring the meaning of both of these SSL types, you first must be familiar with how the HTTPS connection is made. So, let’s have a quick review:

How SSL Authentication Works (A Brief Overview)

• The website owner buys an SSL certificate for their domain name(s) and sends an unsigned certificate with their public keys to the certificate authority (CA).
• The CA verifies the identity and domain ownership of the applicant by following a validation process. After successful validation, the CA issues an SSL certificate for the domain, ties the server’s public key to the certificate and signs it with its own intermediate root certificate.
• When a browser (client) tries to connect to a website, the SSL handshake process takes place.
• Once the SSL handshake process is over, the browser generates a session key and encrypts it using the public key attached in the server’s SSL/TLS certificate.
• The session key reaches to the server. The server decrypts it using the corresponding private key.
• Now, this session key is used for encrypting and decrypting all the data transferred between a server and the browser. 

The reason we have highlighted the word “SSL handshake process” here is because in the one-way SSL and the 2 way SSL, only the type of certificate that’s used and the SSL handshake process itself differs. All the other steps remain the same.

Now that you know the basics, let’s proceed further to explore the meaning, working style, and usage of the one-way SSL and two way SSL authentication processes.

How One-Way SSL Authentication Works with a Traditional SSL/TLS Certificate

Let’s start with the SSL certificate you’re most familiar with. In all the communications, there are two endpoints involved, the browser and the website it’s connecting to (i.e., a client and server). In one-way SSL authentication, only the identity of one endpoint — the server — is verified. When you try to open a website, your browser authenticates the legitimacy of the website’s server by checking the site’s SSL certificate. One-way SSL certificates are also known as server authentication certificates.

Let’s understand how the SSL handshake process takes place in one-way SSL authentication:

1. When a user attempts to connect to a website on their web browser, the browser tries to establish an HTTPS connection to the website’s server. It sends the supported cipher suites to the server in the ClientHello process.
2. The server responds by sending its public certificate (i.e., the SSL/TLS certificate) to the browser.
3. The browser checks whether the certificate is legitimate (i.e., not expired or revoked), supporting the latest algorithms, properly configured, etc.
4. After that, the browser checks the validity of the CA’s signature from its pre-installed root store.
5. If everything seems fine, the SSL handshake process completes, and the browser generates the session key.

As you read above in the entire SSL handshake process, only the server’s SSL certificate is verified. Basically, this process enables the browser to ensure that it’s connecting to the right website’s server, and that all of the data is routed to the intended site only via a secure connection.

Now, let’s move to the next type of authentication to understand how the 2 way SSL authentication process differs from one-way SSL.

How Two Way SSL Authentication Works with a Personal Authentication Certificate

In two way SSL, both the client and the server’s identities are verified during the SSL handshake process. That’s why they’re also known as mutual authentication SSL certificates. Now, let’s explore how the SSL handshake differs in the 2 way SSL handshake process:

1. When a user tries to connect with a website on their web browser, the browser tries to establish an HTTPS connection to the website’s server. It sends the supported cipher suites to the server in the ClientHello process.
2. The server responds by sending its public certificate i.e., the SSL/TLS certificate to the browser.
3. The browser checks whether the certificate is legitimate i.e., not expired or revoked, supporting the latest algorithms, properly configured, etc. 
4. After that, the browser checks the validity of the certificate authority’s signature from its pre-installed root store.
5. Once it successfully verifies the server, the client (browser) itself sends its public certificate to the server.
6. The server verifies the validity and the CA’s signature of the browser’s certificate.
7. If everything seems fine, the SSL handshake process completes, and the browser generates the session key.

As you can see, in the two way SSL certificate, there are two additional steps involved in the SSL handshake process, which we have highlighted in the red color above.

2 way mutual SSL authentication requires the use of:

• A private key,
• A personal authentication certificate,
• A CA’s root certificate, and
• A CA’s intermediate certificate (though not necessarily required in all cases)

Once the client verifies the server’s identity, the server gets a chance to verify the client’s identity, too. Here, both parties have their own separate SSL certificates, which must be signed by the publicly trusted certificate authority.

Uses of a 2 Way SSL Certificate

Two way SSL certificate authentication is also known as mutual authentication. In a server certificate, the server’s identity is verified during the initial SSL handshake. Two way SSL certificate authentication is a method where a client’s identity is also verified during the initial SSL handshake. Therefore, the two way handshake involves the authentication of both client and server.

So now that you know how the SSL handshake process differs between one-way SSL and two way SSL, the next question would arise, why is a two-way certificate necessary? A two-way certificate is used by the websites to select which clients can interact with it securely.

For example, an organization’s intranet website typically exists for their employees to access information and communicate on official matters. The organization doesn’t want anyone else to access such an internal website and would like to restrict the audience. Moreover, the employees should be accessing that website from their official devices only to further mitigate the risk of unsolicited access.

In such cases, the organization can use a two-way SSL certificate to authenticate the clients before letting them access the website. Companies also can use it to weed out the cybercriminals and bots from entering their sites.

Conclusion

2 way certificates are generally used in the organizations for the internal communication. For example, when you have an S/MIME or personal authentication certificate on all of your employees’ devices, no one can intercept and read the communication between the two endpoints. As far as SSL certificates are concerned, some organizations use it to block some particular user or website visitors from a particular geographical location. In either way, a two way SSL or any other 2 way certificates like S/MIME provide a robust security to your internal and external communications.