I'm writing a client/server program to control a machine(server) from a client program and want to authenticate the client machine to know it's trusted. I could have many clients so I thought about using openSSL to encrypt a socket and generate a unique certificate/key pair for authentication. This pair would be copied during setup time with scp to each server/client. The server program, when the SSL connection is established, will ask for the client's certificate and verifies it against the key (actually private key). So if they both matches the connection continues, if not it's dropped.

Some things to consider:

1. I cannot use a CA to authenticate certificates, it will be self signed, because the machines will not even have internet access and don't want to over-complicate the installation if possible.
2. The certificate/key will be only readable by valid users in the linux machines (client and server) and disks will be encrypted.

Seems to work so far, but I have some questions as I'm just starting with this openssl thing.

My questions are:

1. Is it bad practice to copy the certificate/private key to all nodes?
2. Could someone see some point of failure in the authentication process or certificate storage that could weaken the idea ?

I've read posts like Peer to Peer linux authentication in C but didn't help.

The way I'm doing it now in the server is the following:

1. SSL_CTX_use_certificate(ctx, client_cert) <-certificate given by client
2. SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM) <-key stored in the server
3. SSL_CTX_check_private_key(ctx) <-check both

So if SSL_CTX_check_private_key(ctx) returns 0 is because private key and certificate doesn't match and the client was not authorized, so I drop the connection.

I really appreciate your opinion about this. If more code is needed will paste it here, but I think the idea could be followed.