An Introduction to Mutual SSL

Understand Mutual SSL and how to use it with ADP web APIs
Summary: Mutual SSL is a security process in which both the client and the server prove their identities to establish trust. Learn more about how this process works and helps to keep your communication secure.

SSL, as used by most people, is the technology that your web browser (or other client application) uses to authenticate the identity of the server you are communicating with, as well as encrypt the data being transferred between the two. In truth SSL is about more than just web browsers and web servers. SSL can be used in a variety of scenarios while the overall validation process remains the same. But this authentication is only one-way, as only the server is authenticated. The SSL communication process can be summed up as the following:

 

  1. Client (web browser, for example) requests secure data from Server.
  2. Server, seeing it is a secure request, sends certificate to client.
  3. Client verifies the server’s certificate.
  4. Client sends session key to server (encrypted using server’s public key) for the purposes of unique encryption.
  5. Encrypted communication begins.

The above process only authenticates one side of the communication process, and is where Mutual SSL comes in. This allows two parties (servers or applications) to authenticate with each other, verifying each other’s certificates and validating each other’s identities, to sustain the integrity of both sides of the connection.

 

Generally speaking, the communication process for mutual SSL can be summed up as the following:

 

  1. Client (another server, for example) requests secure data from Server.
  2. Server, seeing it is a secure request, sends its certificate to client.
  3. Client verifies the server’s certificate.
  4. If credentials are valid, client sends its certificate to Server.
  5. Server verifies the client’s certificate.
  6. If everything is valid, encrypted communication begins.

mutual3

 

Please note: For the sake of clarity, we still referred to the two parties in the above example as “client” and “server”. Keep in mind that mutual SSL is not limited to the above configuration.

 

Of course, the process is much more involved, but the above is generally the flow of how the parties achieve mutual SSL authentication.

 

ADP and Mutual SSL

The ADP Marketplace uses Mutual SSL for its protected API transactions. The Mutual SSL in this case would be set up and used as such:

  1. The client must create a private key and CSR (certificate signing request). Both of these are required for making SSL work.
  2. The CSR is submitted to ADP, and signed by the ADP Certificate Authority. The ADP Marketplace trusts all active certificates signed by the CA.
  3. Communicate with the ADP Marketplace. The process of communicating with the ADP Marketplace APIs requires an access token, which is obtained via Mutual SSL. You can find more information on how to obtain and use access tokens here.