Manage Application Certificates

Obtain certificates for application at the Software Statements (Application) level. Utilize transport certificates for TLS handshakes with other organisations' servers. Authenticate client applications using OAuth mTLS-based or the OAuth private_key_jwt client authentication methods. Encrypt messages.

---

Obtain Client Certificate

1. Select Applications and an application of your choice.

2. Select App Certificates > New Certificate.

3. Select the certificate Type and continue.

   
   
   warning

   If you are using Raidiam Connect Sandbox environment, you may sometimes see other types of client-related certificates. Usually, those types will be equivalents of the above certificates but localized and adjusted to the requirements of a given open data ecosystem.

   If your organisation is a part of such open data initiative and you see your ecosystem's certificate types on the list, select out of those -- not the generic ones.

4. Execute the provided command in your terminal to generate a Certificates and continue.

   The CSR is generated within the same directory where you executed the command.

   Along with the CSR, additional file is created containing the client's Public and Private Keys.

5. Upload the generated CSR/PEM file, select Continue, and Done.

   The uploaded request for a certificate is validated by Connect's Public Key Infrastructure. Upon successfull validation, the request is passed to the platform's Public Key Infrastructure (CA).

   The CA creates the certificate including the organization's public key, subject information, issuer information, validity period, and more. Then, the CA signs the certificate using its private key.

Available Application Certificate Types

Transport Application Certificate

Essential for securing the mTLS channel for API communications from the client side. It assures that the exchange between the server and client applications is encrypted and mutually authenticated.

Signing Application Certificate

This certificate serves two primary functions. It enables secure application authentication using the OAuth private_key_jwt client authentication method, thus verifying the client's identity.

Additionally, it allows for the signing of message payloads, ensuring the non-repudiation of client-issued payloads.

Encryption Application Certificate

Employed for the encryption of message contents using JSON Web Encryption (JWE RFC7516), ensuring confidentiality of messages sent by Clients.

Download Client Certificate

1. Select Application and an application of your choice.

2. Select App > Certificates.

3. Select the three dots button under the Actions column next to the certificate and download the certificate.

4. Add the certificate to your clients's configuration to use it for transport, signing, or encryption.

Revoke Certificates

danger

Revoking a certificate is a permanent action.

If you are revoking a client transport certificate, all servers which check the clients's certificate will deny the connection due to the inability to establish a secure connection.

1. Select Applications and an application of your choice.

2. Select App > Certificates.

3. Select the three dots button under the Actions column next to the certificate and Revoke Certificate the certificate.

4. Provide the reason for the certificate revocation if possible.

5. Select Revoke.

Manage Client Certificates Using APIs

Raidiam Connect allows organisations to integrate with the following APIs for Client Certificate Management:

• Create Application Certificate

  You can utilize tools like OpenSSL or its alternatives to generate a Certificates and upload it during the API call.

• Get All Certificates for Application

• Get Application Certificate of Given Type

• Revoke Application Certificate