Originally posted by Rajan Chinna:
Don't you think your client CL should also get certificate from Verisign?
I think you can contact Verisign and get Digital Certificates to setup secured server.
Client certificate is required only if client authentication is enabled. Which means that clients needs to be authenticated.
in most cases, server authentication is enough. You trust the server to talk to. Use PKI to
exchange a shared key to encrypt messages. Trust of the server is achieved by the browser pre-installed with Certificate chains of CAs like Baltimore, Versign and so on. So when server gives you a cert (containing its pub key) then you are sure that it can be trusted. you use that pubkey of the server to send a secret key for asymmetric encryption then onwards.
Cleint auth is an expensive proposition. You need to purchase a client certificate for all you clients. In a true internet scenario its most unlikely. In a b2b scenario for e.g. suppliers connecting to companies via a portal, this can be done. Again you can also use a userid-password mechanism to trust.
hope the confusion is resolved.