Who generates the client certificate to be used for an SSL connection? The client side or the server side?

Release : 16.0

Component : Top Secret for z/OS

Technically it does not matter who generates the client certificate and gets it signed by a 3rd party certificate authority: or who dictates which 3rd party certificate authority is used.

What matters is both sides agree to use the same certificates to connect to each other. Which means each side uses the same certs for the SSL connection.

The server side is the one that usually dictates what 3rd party certificate authority is used.

The client side generates an unsigned certificate and sends it to the 3rd party certificate authority. Then adds the signed version to the security file and attaches it to the appropriate keyrings. The signing certificates are provided by the 3rd party certificate authority and need to be added to the security file if they have not been added previously.

The server side very often already has a copy of the 3rd party CA (certificate authority) certificates, since they usually choose the 3rd party certificate authority.