Who is responsible creating client certificate?

[Daniel Lee]

My company is providing asp.net web service method to a third party company.
It's implmented using client certificate authentication over SSL. My network
manager generated a client certificate for the company. However, the company
decided to create their own. The issue is that they need to have a control
of private key.

Here is my sample for the client code:

com.inswriter.confirm.Service service = new com.inswriter.confirm.Service();

// Acknowledge the pipeline and optionally check and see that the Server
// Certificate matches what you want, in this case
// "CN=CertName"

ServicePointManager.ServerCertificateValidationCallback = delegate(Object
sender, X509Certificate cert, X509Chain chain, SslPolicyErrors err) { return
cert.Issuer.Equals(certName); };

// Attach the client certificate,
X509Certificate c = X509Certificate.CreateFromCertFile(
@"C:\CertFileDir\lynxder.cer");

service.ClientCertificates.Add(c);

// submit request (no message encryption)
string response = service.getpolicy(request);


My question is:
Does private key in the certificate involved at all in the client request?
If not, does it matter who generate the certificate?


Thanks in advance

 

[Techno_Dex]

The idea behind a certificate is there is a public and a private key. You
can sign your data with your cert's private key and someone on the other end
with your public key can validate your signed data packet. Certificates are
based on trust, so as long as you trust the certificate authority chain then
all is good. In theory, both sides can each have a certificate, then you
both exchange your public keys which allow you to each sign your data with
your own private key then validate (unencrypt, etc.) with the public key.

 

[Daniel Lee]

Thanks Techno_Dex. Somehow I did not get email notification.

If I use a client certificate (the .der file), does it mean client only
contains the public key and will use it for the authentication purpose.

Thanks