API响应中的数字证书

Question

I'm working on an authentication method for my NodeJS API. I'm using TLS certificates to verify the client connected to my API server. My question is: can we have a way to authenticate the response back to the client? Can we use cert for this to(server to client)?

eg: When we call an API from our client we send the certificate with the request which is authenticated and if found valid the server sends the response, can we do it vice-versa, send a certificate in response and have the client validate the certificate.

Answer 1

The whole TLS protocol and the certificates are already built around this idea that you trust the server. Ie the server during establishing of TLS connection provides a certificate that client can verify by checking if it trusts the CA that has issued the certificate.

Now while this is generally so, you can have libraries that allows to bypass this by not checking the certificate or checking but proceeding anyway, so you have to double check that is not the case. The browser does this automatically.

If you click on a green "Secure" button that is to the left in URL in Chrome eg you can click on "certificate" there and see the certificate that is provided by the server. If it's green, then it's trusted and all's good.

PS Neither the client not server sends the certificate the whole time back and forth with each request/response. They do it only once during establishing the connection that is called TLS handshake. It's relatively expensive process so you'd better keep the connection.