Understanding Certificate Authentication

Over the Internet and intranets, identification takes the form of an authentication certificate, or simply, a certificate. News Server supports both server and user certificates.

Server Certificates

Server certificates are used by servers to authenticate to other servers or clients when exchanging encrypted information. A news server authenticates to a newsreader or to another news server that is connecting to send encrypted data.

When a newsreader connects to a news server, the server certificate identifies the news server to the newsreader. The newsreader is assured that it is connecting to the correct news server.

When a news server connects to a remote news server to send encrypted data, the remote news server sends its certificate to the sending server to identify itself. After the remote news server successfully identifies itself, the sending server starts the encrypted transmissions.

The following example provides a general overview of the behind-the-scenes server authentication process:

1. A client (either a newsreader or another news server) sends a request to connect to a secure news server.
2. The server sends its certificate and its public key to the client.
3. The client checks whether the server certificate was issued by a Certificate Authority (CA) it trusts.

   If so, the client proceeds to the next step. If the client doesn't trust the CA, it can cancel the connection or proceed without server authentication. If the client is another news server, it will cancel the connection.

4. The client compares the information in the certificate with the information it just received concerning the server's domain name and its public key.

   If the information matches, the client accepts the server's certificate.

5. The client generates a session key, a key to be used only for this transaction. The client encrypts the session key using the server's public key.
6. The client sends the encrypted session key to the server.
7. The server receives the session key and decrypts it using the server's private key.
8. The client and the server use the session key to encrypt and decrypt the data they send and receive.

User Certificates

User certificates are used for newsreader authentication when a newsreader connects to the News Server. When a newsreader attempts to connect to the News Server, the server can request that the newsreader authenticate by sending a user certificate.

To transfer the user certificate, both the user and the server must be using Novell Certificate Server 2.0.

User certificates provide more secure authentication than the basic username and password authentication. Only machines with a valid certificate signed by a CA that you trust can authenticate to your news server.

The following example provides a general overview of the behind-the-scenes user authentication process:

1. A newsreader sends a request to connect to your News Server.
2. The server sends its server certificate and its public key to the newsreader.
3. After the server authenticates to the newsreader, the server requests that the newsreader authenticate by sending its user certificate.
4. The newsreader sends a user certificate and its public key to the server.
5. The server uses the newsreader's public key, which is included in the certificate, to verify that the owner of the certificate is the same one who signed the certificate.
6. The server checks whether the user certificate's CA is one that the server trusts.

   If so, the server proceeds to the next step. Otherwise, the server informs the newsreader that the user certificate was issued by an unknown CA.

7. The server compares the information in the certificate with the information it just received about the newsreader. If all the information matches, the server accepts the newsreader as authenticated.
8. The newsreader generates a session key and encrypts it using the server's public key.
9. The newsreader sends the encrypted session key to the server.
10. The server receives the session key and decrypts it using the server's private key.
11. The newsreader and the server use the session key to encrypt and decrypt the data they send and receive.

If you require authentication by user certificates, be aware of the following:

• The newsreader must obtain a user certificate from Novell Certificate Server v2.0.
• The News Server must have encryption enabled.