Server: Send optional certificate request

If the server wants to use authentication by client certificate

Send down the certificate request The server sends down
  • What certificate types it supports
  • What signature algorithms it supports in preferred order – so it can check the certificate sent to it
  • A list of the “certificate authority” certificates from the trust store. This can include self signed certificates
The client has logic like
  • For each signature algorithm in the list, in turn
  • .. For each certificate authority certificate
  • …. if the trust store has an entry matching the signature algorithm and the keystore; and the entry has a private certificate
  • …. Then use it
  • Else return “empty” – no certificate match the keystore.
*** CertificateRequest Cert Types: RSA, DSS ECDSA Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA,… Cert Authorities: These are the certificate authorities (or self signed certificates) They were listed at server start up in the initial section >CN=ECBPECC, OU=EC, O=ZZZZ< >CN=SSCA8, OU=CA, O=SSS, C=GB< >CN=TEMP4Certification Authority, OU=TEST, O=TEMP< >CN=CA_BPECC, OU=TEST, O=TEMP< >CN=TEMP4Certification Authorit2, OU=TEST, O=TEMP< >CN=SS, O=SSS, C=GB< *** ServerHelloDone It has finished the processing, send the data and wait for the reply <