Certificates and Authentication244 Managing Servers with Netscape Console • December 2001As shown in the next section, one of the advantages of certificate-basedauthentication is that it can be used to replace the first three steps in Figure B-4with a mechanism that allows the user to supply just one password (which is notsent across the network) and allows the administrator to control userauthentication centrally.Certificate-Based AuthenticationFigure B-5 shows how client authentication works using certificates and the SSLprotocol. To authenticate a user to a server, a client digitally signs a randomlygenerated piece of data and sends both the certificate and the signed data acrossthe network. For the purposes of this discussion, the digital signature associatedwith some data can be thought of as evidence provided by the client to the server.The server authenticates the user’s identity on the strength of this evidence.Like Figure B-4, Figure B-5 assumes that the user has already decided to trust theserver and has requested a resource, and that the server has requested clientauthentication in the process of evaluating whether to grant access to the requestedresource.Figure B-5 Using a Certificate to Authenticate a Client to a ServerUnlike the process shown in Figure B-4, the process shown in Figure B-5 requiresthe use of SSL. Figure B-5 also assumes that the client has a valid certificate that canbe used to identify the client to the server. Certficate-based authentication isgenerally considered preferable to password-based authentication because it isbased on wheat the user has (the private key) as well as what the user knows (thepassword that protects the private key). However, it’s important to note that these