That is certainly supported but you are right — revocation of certificates would have to involve the third party certificate authority if you chose not to self sign. I think use of a third party is only interesting in this scenario when it is valuable for the two parties to have some external verification of who each other is, such as Verisign checking that a company actually exists before supplying a certificate. In my example, using the certificates simply to distinguish between clients wouldn’t seem to require a third party.

An alternate scenario might be to use a public CA for the server’s certificate and self signed certificates for the clients because the client wants independent verification of the server but the server doesn’t need independent verification of the clients.

Applied CBDC Research @ the Federal Reserve — fmr, MIT / Podcaster / Runner / Helicopter Pilot

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store