cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Receiver HTTP(S) Adapter - Client Certificate Authentication - correct certificate handling?

Go to solution
former_member285279
Participant

on ‎08-26-2014 11:38 AM

0 Kudos

Hello Colleagues,

I need to clarify the correct certificate handling for a Receiver HTTS connection with client authentication.

E.g. for an (Receiver) HTTP_AEE Adapter under Security and Authentication --> Specify Client Certificate you have to configure "Keystore View" and "Keystore Entry". So far it's clear.

But what about the certificate for the client authentication?

Do I have to create in the respective Key Store View an own key pair (private- and public key), forward the certificate request (CSR) to the receiver for sign by the receiver CA and at last import the sign request to my key pair.

or

other way around, should I have to import the public key from the receiver to my key store view?

Many thanks in advance!

Regards,

Jochen

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-26-2014 11:26 PM
0 Kudos

Hi Jochen,

You can have any CA you agree to sign your CSR. The CSR does not contain the private key, so your first option above would work.  It just doesn't necessarily have to be the receiving system's CA.  If you want a different CA, your partner will need to agree to trust it.

Your second option of importing only the public key will not work. You need more than the public key to use it for client authentication.  The partner would need to send you a p12 file (or similar) which contains both the private and public key.  Of course, sharing private keys can be a security risk.

You can also use your server cert for client authentication.   The receiving system then sees your server cert when they request the certificate during the client auth step.  CN=myserver.example.com

Thanks,

-Russ

Show replies
Show replies
former_member285279
Participant
‎08-27-2014 2:13 PM
0 Kudos

Hi Russ,

many thanks for the detailed answer!

I leaned, I need to have a Key Pair p12 (private- and public key) and only public key is not enough.

And I have three possible options:

1. I create my own Key Pair under the Key Storage View

2. Take my Server Key Pair

3. I got a Key Pair from the receiver

For all three possible scenarios I have to ensure the receiver are able to validate the receiving public key by the CA certification path.


If I am not able to provide an suitable CA certification path (Root CA + intermediate CA), because of interface goes outside and we don't respective e.g. VeriSign CA certificate (only selfsign), It's a possible solution (for test purpose) to handover my public key to the receiver?


Which possible option is to prefer?


I would prefer the first option because this is independent to the server key pair and we don't need exchange key pair (private- and public key) with the receiver (outside).


Many thanks in advance!


Regards,


Jochen

Former Member
‎08-27-2014 11:19 PM
0 Kudos

Hi Jochen,

Self-signed certs (option 1) should work, but that's something you will need to agree to with the partner.  Some companies may have polices against them. Either way, I would send them your public cert (and CA certs if you are using them).  Most systems need it to setup access (or at least the DN patten).   Just don't send them your private key (p12).

Thanks,

-Russ

former_member285279
Participant
‎08-28-2014 4:18 PM
0 Kudos

Hi Russ,

many thank again for these helpfully information's!

Now all my questions are answered.

Here what I did:

I created at NWA under Certificates and Keys: Key Storage an own CLIENT view for the Key Pair (private and public key). Next I created the Key and forwarded the Certificate Signing Request (CSR) to VeriSign for sign. At last I imported the sign CSR.

With the certificate chain (root and intermediate certificate) the receiver are able to validate the client certificate.

Of course, never handout your private key!

Regards,

Jochen

Answers (0)

Ask a Question