Generating and Validating Certificates at Runtime

You are proposing doing it backwards. It doesn’t do you any good to hold a private key on the server and hand out a public certificate to be used to validate the client. Instead, you want the client to make a key pair and submit the certificate to the server to be stored. The server can then use the certificate to generate a challenge for the client to prove they hold the private key for that client.

Don’t invent your own security, it will not be secure. The system you propose is broken and insecure as you described it, as the public key is not designed for proof of identity, nor is simply sending the thumbprint a way to validate it.

Leave a Reply

Your email address will not be published. Required fields are marked *