TL;DR
No, a client with an ECC certificate generally cannot establish a mutual TLS (mTLS) connection directly with a server using only an RSA certificate. This is because of differences in the cryptographic algorithms and key exchange processes used by each.
Why it Doesn’t Work
Mutual TLS relies on both client and server verifying each other’s certificates. The problem arises during the handshake process, specifically when negotiating a shared secret for encryption. ECC (Elliptic Curve Cryptography) and RSA (Rivest–Shamir–Adleman) use different mathematical approaches to this key exchange.
Steps to Enable mTLS (with adjustments)
- Understand the Core Issue: The server needs to support ECC certificates if it expects clients to present them. An RSA-only server can’t process an ECC certificate for validation.
- Server Configuration Change – Add ECC Support: You must configure your server (e.g., Apache, Nginx, OpenSSL) to accept and validate ECC certificates alongside RSA ones. The exact method depends on your server software.
- Apache Example: In your virtual host configuration file, ensure you have the following directive:
SSLCertificateChainFile /path/to/your/ecc_chain.pem - Nginx Example: In your server block, include:
ssl_certificate /path/to/your/server.crt; # Includes both RSA and ECC certsssl_certificate_key /path/to/your/server.key; #RSA key only
- Apache Example: In your virtual host configuration file, ensure you have the following directive:
- Certificate Bundling: Combine your server’s RSA certificate and any intermediate certificates with the ECC root certificate into a single file (e.g., `combined_certs.pem`). This allows the client to trust the chain of trust for both types of certificates.
cat rsa_cert.pem intermediate.pem ecc_root.pem > combined_certs.pem - Client Configuration: Configure your client (e.g., curl, application code) to present its ECC certificate and trust the `combined_certs.pem` file.
- curl Example:
curl --cert client.crt --key client.key --cacert combined_certs.pem https://yourserver.com
- curl Example:
- Verify the Connection: Use a tool like `openssl s_client` to check the negotiated cipher suite and verify that both certificates are being presented and validated.
openssl s_client -connect yourserver.com:443 -cert client.crt -key client.key -CAfile combined_certs.pem
Important Considerations
- Cipher Suite Support: Ensure both the client and server support common cipher suites that work with both ECC and RSA.
- Key Exchange Algorithms: The server must be configured to allow key exchange algorithms compatible with ECC (e.g., ECDHE).
- Certificate Authority (CA): Both certificates should ideally be issued by a trusted CA, or you’ll need to configure trust explicitly on both sides.