Hello all, good morning! I have a question in lecture "TLS BASICS" (<https://kod . . .

VIKKAS GUPTA:
Hello all, good morning! I have a question in lecture “TLS BASICS” (https://kodekloud.com/courses/539883/lectures/9808254). I understand that server needs a certificate(having its public key in it) to establish trust with the client and also the public key in it is used to exchange the symmetric key to be used going forward. HOWEVER, why does the client need to generate public and private key for creating a client certificate? Have doubt because, we are not using any client’s public and private key in any communication , not even for symmetric key exchange. So a client certificate without a public key in it, should be sufficient, no? @Mumshad Mannambeth Please help, thanks.

VIKKAS GUPTA:
Could anybody please help me on this? How is client certificate and private key exactly used? @Mumshad Mannambeth

Mumshad Mannambeth:
Sure @VIKKAS GUPTA May I know where do you see reference to client certified or private key?

Mumshad Mannambeth:
Is it in the video lecture you shared?

VIKKAS GUPTA:
@Mumshad Mannambeth yes, in the video we have generated public and private key but I am having trouble understanding how are we using it exactly.

Mumshad Mannambeth:
So in the website example, I show that public and private key pairs are created on the server to exchange symmetric key from the client to the server. There is no public/private key pair generated on the client.

Mumshad Mannambeth:
Also I say at 16:30 that “The end user only generates a single symmetric key”

Mumshad Mannambeth:
I see right after I talk about the client certificates

VIKKAS GUPTA:
I understand that server needs a certificate(having its public key in it) to establish trust with the client and also the public key in it is used to exchange the symmetric key to be used going forward. HOWEVER, why does the client need to generate public and private key for creating a client certificate? Have doubt because, we are not using any client’s public and private key in any communication , not even for symmetric key exchange. So a client certificate without a public key in it, should be sufficient, no?

Mumshad Mannambeth:
So that’s mutual TLS or MTLS where both client and servers generate their own pair of certificates

Mumshad Mannambeth:
When you establish secure communication between 2 servers for example we use mutual TLS where both servers create their own pairs of certificates

Mumshad Mannambeth:
So to answer your question, a client may generate a private/public key pair to verify his/her own identify. Let’s say to prevent hacks when a hacker gains access to a clients username and password. A good example is an administrator using public/private key pairs to setup secure SSH to a server.

VIKKAS GUPTA:
Okay, understood. How is the client’s private and public key used exactly for authentication?