Certificates
Obtain digital certificates to establish secure communications over the Internet. Utilize one trusted Certificate Authority for all federation participants or enable organizations to bring their own certificates.
Raidiam Connect Certificate Authority and Registration Authority, parts of the Public Key Infrastructure, enable organizations to obtain and utilize digital certificates ensuring the data transferred between parties remains confidential and tamper-proof.
A certificate is a digital document usually containing the following information:
- Subject: The entity the certificate represents.
- Validity Period: The timeframe during which the certificate is considered valid.
Certificates obtained by Data Providers and Data Receivers can be used by their technical resources (applications, services, authorization servers, and more) in order to:
- Verify Identity: Certificates confirm the identity of the entity presenting the certificate, whether it's a person, a server, or an application. This verification helps prevent impersonation and man-in-the-middle attacks.
- Establish Trust: Since CAs are trusted entities, a certificate issued by a CA serves as a vouch for the certificate holder's authenticity and accreditation.
In practical terms, certificates are used mostly for:
- mTLS Handshake (RFC 5246): In mutual TLS (mTLS) authentication, both the client and the server authenticate each other using their respective certificates. During the handshake process, the server presents its certificate to the client, which verifies it against Raidiam's Certificate Validation Service. Similarly, the client presents its certificate to the server for verification. This mutual authentication ensures that both parties are trustworthy and authorized to communicate.
- TLS-based OAuth Client Authentication (RFC 8705): In this scenario, a client application uses its certificate to authenticate itself to the OAuth authorization server. When the client presents its token request, it also presents its certificate. In addition to the Validations required to establish the mTLS handshake, the Server verifies if the certificate has the Values of the Certificate Distinguished Name against a reference value provided during the Client Registration. If the values on the subject match, the server can trust that the client is who it claims to be and proceed to grant an access token.
- Certificate Bound Access Tokens (RFC 8705) : During token request, the authorization server binds the certificate with the issued token, such as embedding on the token the certificate hash. When accessing resources, the token's ownership is ensured by matching it with the expected certificate. Certificate Bound Access Tokens enhance security by providing strong authentication and mitigating token theft.
In Raidiam Connect, certificates are issued at two levels: Organisation and Application (Software Statement).
Organisation-Level Certificates: These certificates can be used by any application or server within the organisation. For instance, multiple applications or servers can share the same organisation-level certificate. This can be beneficial for reducing costs when an organisation is charged for using externally-issued certificates.
Application-Level Certificates: Also known as Software Statement certificates, these are specific to the application for which they are issued. Each application-level certificate is unique to a single application and cannot be shared with others.
In Raidiam Connect, certificates are issued to Data Providers and Data Receivers technical resources after an organization submits a Certificate Signing Request (CSR) to the federation's Registration Authority (RA). The registration authority is responsible for validating whether an organization fulfils all the requirements for the certificate to be issued before passing the request to the Certificate Authority (CA).
- An organization creates a CSR including the organization's Public Key and the organization's identifying information within the subject field
- For example, the information may include the organization's name, domain, country, and more.
- The organization sends the CSR to the Raidiam's RA which validates the request and passes it to CA if validation is successful
- The organization can provide Raidiam's RA with the CSR using APIs or manually using the UI.
- The CA creates the certificate including the organization's public key, subject information, issuer information, validity period, and more.
- The CA signs the certificate using its private key.
- The certificate is encoded in the DER (binary) format and stored by the CA.
- The DER-encoded certificate is converted to the PEM format.
- This involves base64Url encoding the binary data which converts it into an ASCII text and adding the delimiters.
- The certificate in the PEM format is returned to the RA and the RA passes it to the requesting organization.
A Certificate Signing Request (CSR) is a block of encoded text that a Trust Framework Participant sends to Registration Authority (RA) to apply for a digital certificate. It contains the information the RA and Certificate Authority (CA) need to create and sign a certificate:
- Identity: CSR includes information that helps the CA verify the identity of the entity requesting the certificate.
- Public Key Submission: It contains the organisation's public key that will be included in the certificate. The corresponding private key is kept secret by the requester.
- Data for Certificate: The CSR includes other information that will be used in the certificate, such as the common name (e.g., domain name), organization, locality, and country.
Raidiam Connect accepts CSRs in the .csr or .pem format.
Once the CSR is provided to Raidiam's RA, it validates its contents. If validation is successfull, the RA passes the request to the CA which signs the certificate with its private key, creating a digital certificate that links the organisation's identity with its public key.
The signed certificate is sent back to the requester. This certificate can now be installed on servers or used in applications to enable secure communication.
Raidiam Connect uses the two following formats for certificates:
Format | Extensions | Description |
.pem, .crt, .cer, .key | ASCII (text) format, enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. | |
.der, .cer | Binary format, not human-readable. Less susceptible to encoding errors. Used for storing the certificate. |