Manage Certificates for Application
Obtain certificates for application at the Software Statement level. Utilize transport certificates for TLS handshakes with other organisations' servers. Authenticate client applications using OAuth mTLS-based or the OAuth private_key_jwt client authentication methods. Encrypt messages.
- Access Token with Write Access and with the directory:website scope - if you want to obtain or manage organisation-level certificates using Connect's APIs.
Select Applications and an application of your choice.
Select App Certificates > New Certificate.
Select the certificate type and continue.
- Transport: Essential for securing the mTLS channel for API communications from the client side. It assures that the exchange between the server and client applications is encrypted and mutually authenticated.
- Signing: This certificate serves two primary functions. It enables secure application authentication using the OAuth private_key_jwt client authentication method, thus verifying the client's identity. Additionally, it allows for the signing of message payloads, ensuring the non-repudiation of client-issued payloads.
- Encryption: Employed for the encryption of message contents using JSON Web Encryption (JWE RFC7516), ensuring confidentiality of messages sent by Clients.
If you are using Raidiam Connect Sandbox environment, you may sometimes see other types of client-related certificates. Usually, those types will be equivalents of the above certificates but localized and adjusted to the requirements of a given open data ecosystem.
If your organisation is a part of such open data initiative and you see your ecosystem's certificate types on the list, select out of those -- not the generic ones.
Execute the provided command in your terminal to generate a Certificate Signing Request (CSR) and continue.
The CSR is generated within the same directory where you executed the command.
Along with the CSR, additional file is created containing the client's Private Key.
Upload the generated CSR/PEM file, select Continue, and Done.
The uploaded request for a certificate is validated by Connect's Registration Authority. Upon successfull validation, the request is passed to the platform's Certificate Authority (CA).
The CA creates the certificate including the organization's public key, subject information, issuer information, validity period, and more. Then, the CA signs the certificate using its private key.
Select Application and an application of your choice.
Select App Certificates.
Select the three dots button under the Actions column next to the certificate and download the certificate.
Add the certificate to your clients's configuration to use it for transport, signing, or encryption.
Revoking a certificate is a permanent action.
If you are revoking a client transport certificate, all servers which check the clients's certificate will deny the connection due to the inability to establish a secure connection.
Select Applications and an application of your choice.
Select App Certificates.
Select the three dots button under the Actions column next to the certificate and Revoke Certificate the certificate.
Provide the reason for the certificate revocation if possible.
Select Revoke.
Raidiam Connect allows organisations to integrate with the following APIs for Client Certificate Management:
- Create Application Certificate You can utilize tools like OpenSSL or its alternatives to generate a Certificate Signing Request and upload it during the API call.