I have a system where two clients (A, B) ask and receive information from each other.
I am following mutual tls. In order to make this work, I am following this procedure
- First I create an authorization server and a CA to issue certificates
- Client and server must authenticate each other by presenting a x.509 certificate.
- Client ask an access token from the server in order to reach the client B and get back an information
- Server hashes the client A certificate and binds it into the access token
- The client then uses the certificate that presented in the server and the access token and then reaches client b which also contain the protected resource
- Client B hashes the certificate and match it with the hash of the certificate contained in the access token
so I have the following questions
- How to build the authorization server?
- The ca must include inside the auth server or must be a different component?
- Client asks for the token during the handshake or on another call?
- The server hashes the certificate and binded to the token by using some keys?
- Client B hashes the certificate using some keys?
- When the client and the server exchange certificate signed from a CA, must first generates public keys and sent them to CA and so the latter can issue the token?
- I see that during handshake the client send the certificate to verify message in order to tell that he has the private keys. the server must not do the same procedure?