Skip to main content

Certificates

Obtain digital certificates to establish secure communications over the Internet. Utilize one trusted Certificate Authority for all federation participants or enable organisations to bring their own certificates.

Raidiam Certificate Authority and Registration Authority, parts of the Public Key Infrastructure, enable organisations to obtain and utilize digital certificates ensuring the data transferred between parties remains confidential and tamper-proof.

A certificate is a digital document usually containing the following information:

  • Subject: The entity the certificate represents.
  • Issuer: The Certificate Authority that issued the certificate.
  • Validity Period: The timeframe during which the certificate is considered valid.
  • Public Key: The certificate holder's public key -- used for encryption or digital signatures.

Certificates obtained by Data Providers and Data Receivers can be used by their technical resources (applications, services, authorization servers, and more) in order to:

  • Verify Identity: Certificates confirm the identity of the entity presenting the certificate, whether it's a person, a server, or an application. This verification helps prevent impersonation and man-in-the-middle attacks.
  • Establish Trust: Since CAs are trusted entities, a certificate issued by a CA serves as a vouch for the certificate holder's authenticity and accreditation.

Using Certificates

In practical terms, certificates are used mostly for:

  • mTLS Handshake (RFC 5246): In mutual TLS (mTLS) authentication, both the client and the server authenticate each other using their respective certificates. During the handshake process, the server presents its certificate to the client, which verifies it against Raidiam's Certificate Validation Service. Similarly, the client presents its certificate to the server for verification. This mutual authentication ensures that both parties are trustworthy and authorized to communicate.

  • TLS-based OAuth Client Authentication (RFC 8705): In this scenario, a client application uses its certificate to authenticate itself to the OAuth authorization server. When the client presents its token request, it also presents its certificate. In addition to the Validations required to establish the mTLS handshake, the Server verifies if the certificate has the Values of the Certificate Distinguished Name against a reference value provided during the Client Registration. If the values on the subject match, the server can trust that the client is who it claims to be and proceed to grant an access token.

  • Certificate Bound Access Tokens (RFC 8705): During token request, the authorization server binds the certificate with the issued token, such as embedding on the token the certificate hash. When accessing resources, the token's ownership is ensured by matching it with the expected certificate. Certificate Bound Access Tokens enhance security by providing strong authentication and mitigating token theft.

Certificate Levels

In Raidiam Connect, certificates are issued at two levels: Organisations and Applications (Software Statement).

Organisation-Level Certificates: These certificates can be used by any application or server within the organisation. For instance, multiple applications or servers can share the same organisation-level certificate. This can be beneficial for reducing costs when an organisation is charged for using externally-issued certificates.

Application-Level Certificates: Also known as Software Statement certificates, these are specific to the application for which they are issued. Each application-level certificate is unique to a single application and cannot be shared with others.

How Certificates Are Issued

In Raidiam Connect, certificates are issued to Data Providers and Data Receivers technical resources after an organization submits a Certificate Signing Request (CSR) to the federation's Registration Authority. The registration authority is responsible for validating whether an organization fulfils all the requirements for the certificate to be issued before passing the request to the Certificate Authority.

  1. An organization creates a CSR including the organization's Public Key and the organization's identifying information within the subject field

    For example, the information may include the organization's name, domain, country, and more.

  2. The CSR is signed using the organization's Private Key.

  3. The organization sends the CSR to the Raidiam's RA which validates the request and passes it to CA if validation is successful.

    The organization can provide Raidiam's RA with the CSR using APIs or manually using the UI.

  4. The CA creates the certificate including the organization's public key, subject information, issuer information, validity period, and more.

  5. The CA signs the certificate using its private key.

  6. The certificate is encoded in the DER (binary) format and stored by the CA.

  7. The DER-encoded certificate is converted to the PEM format.

    This involves base64Url encoding the binary data which converts it into an ASCII text and adding the delimiters.

  8. The certificate in the PEM format is returned to the RA and the RA passes it to the requesting organization.

Certificate Signing Requests

A Certificate Signing Request (CSR) is a block of encoded text that a Trust Framework Participant sends to Registration Authority (RA) to apply for a digital certificate. It contains the information the RA and Certificate Authority (CA) need to create and sign a certificate:

  • Identity: CSR includes information that helps the CA verify the identity of the entity requesting the certificate.

  • Public Key Submission: It contains the organisation's Public Key that will be included in the certificate. The corresponding Private Key is kept secret by the requester.

  • Data for Certificate: The CSR includes other information that will be used in the certificate, such as the common name (e.g., domain name), organization, locality, and country.

Raidiam Connect accepts CSRs in the .csr or .pem format.

-----BEGIN CERTIFICATE REQUEST-----
MIICwjCCAaoCAQAwfTELMAkGA1UEBhMCVUsxEDAOBgNVBAoMB1JhaWRpYW0xLTAr
BgNVBAsMJDc5YjM0ZDUyLTEyNWItNGU1YS04YjY5LWRiOTNlNzM3YWE3ODEtMCsG
A1UEAwwkY2ZiMmY0YzMtMTMwZS00YzNlLWI4ZjQtYjU1OWEzM2Y5YTkzMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6O+nF5INIfM6XNvTCENdM3Al/oo4
B0VzerUKE5Nb/w/Yl8/2zaYiIp2a4Jg5evkUF9shMPejqFwwkLdBvyPU07TNklRt
Ju3U8EnMYS6Nt+i2YxYLgW5peaaXRGaL0FsDkpyMxNM5lvqz65p2KP8/QK0gn/l1
5aNHuGF6QoE8IXMhgJnRw2SWLicJaxXF9CthQmU54kk3KjMVDncsu1sIs6oGr1sT
97OcoU9azipo7v43t1s6f2X0FGn9EEt7qRXvo2f0+d88VefYLIR8Xubpfsj5guvD
H2TOGbIth0xXCOdXILtycEwi/tXn0whxk7STcebZ9MRdJjUYw9f3JSpaHwIDAQAB
oAAwDQYJKoZIhvcNAQELBQADggEBAIkfZI9P15eOZ9wkBEpfJXzHvu8BIBzABo8m
OiBb0mKkl2Ui+IrFCdLUX1ZPpDy18WCO3Y9v4vWQeuJwSzGToj3OobswboamXWum
d3czERt3Liv1S5ymMGRLqtzESbDcRrVqj5wJcW+BDHdh0OMP8gAvm/0bhd8arib6
t+T9s5e7MVHNQEHEnEZYlgjaBUX6D/WvB8D0FDCvwJhDrB0cvqfzHY4gDVv+1fG2
/5zRqVK9JrLqwxzys9uqP2ayrzGolf3y8Vmrm4Sqzo9F62rgLbNnGP6I38YzlKXk
K/LTTgBSyp0Oyg8zhDLHkKl7xx/lQfvbZRu1KPbX96gk7yghNmQ=
-----END CERTIFICATE REQUEST-----

Once the CSR is provided to Raidiam's RA, it validates its contents. If validation is successfull, the RA passes the request to the CA which signs the certificate with its private key, creating a digital certificate that links the organisation's identity with its public key.

The signed certificate is sent back to the requester. This certificate can now be installed on servers or used in applications to enable secure communication.

Certificate Formats

Raidiam Connect uses the two following formats for certificates:

FormatExtensionsDescription
Privacy Enhanced Mail (PEM).pem, .crt, .cer, .keyASCII (text) format, enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
DER (Distinguished Encoding Rules).der, .cerBinary format, not human-readable. Less susceptible to encoding errors. Used for storing the certificate.
-----BEGIN CERTIFICATE-----
MIIFxzCCBK+gAwIBAgIUXTXsHRbAAIM96SSlnAAKKoBb/1swDQYJKoZIhvcNAQEL
BQAwYDELMAkGA1UEBhMCR0IxHTAbBgNVBAoTFFJhaWRpYW0gc2VydmljZXMgbHRk
MRAwDgYDVQQLEwdyYWlkaWFtMSAwHgYDVQQDExdyYWlkaWFtIElzc3VpbmcgQ0Eg
LSBHMjAeFw0yNDA0MTEwNzU5MDBaFw0yNTA1MTEwNzU5MDBaME4xCzAJBgNVBAYT
AlVLMRAwDgYDVQQKEwdSYWlkaWFtMS0wKwYDVQQLEyQ3OWIzNGQ1Mi0xMjViLTRl
NWEtOGI2OS1kYjkzZTczN2FhNzgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDIgbv+Wr0qZDouKE9j7raWGNni6+FeHJEeWCgbhz2y3zyNzK2KKsyElHIj
SRRpod66SIrvP7nyNJnG3+iTWPxugKbV3psgQlPa9MJuOTj5tOKpHwzzHk4AMjKA
8AhA1xNe0rR22BKGZp2H+O1oG6FfBG8G7Hsf6LdvQxRnQHGmKnM659gs4+EfeQyP
rQjKSs4XWj7dVt5IaJIIS8Cm3d89agCaeZTE9ffjPC0v8Zb9xJbyxyNHXnPyMyBq
Lue0t9txPEnbZdfL60h3smG5mQycvF8DASbkIHPkMkTF/vBlxP0uOOl6h45NqpXQ
7orvfSOZYwqG1mqfClrjpUnLl+T/AgMBAAGjggKJMIIChTAOBgNVHQ8BAf8EBAMC
A7gwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUrwiopzH5DkA3zYSTiyFF45Mkfegw
HwYDVR0jBBgwFoAUivWvC3L3QbSrnlF239IM22W7wQYwQQYIKwYBBQUHAQEENTAz
MDEGCCsGAQUFBzABhiVodHRwOi8vb2NzcC5wa2ktZzIuc2FuZGJveC5yYWlkaWFt
LmlvMEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9jcmwucGtpLWcyLnNhbmRib3gu
cmFpZGlhbS5pby9pc3N1ZXIuY3JsMIIBngYDVR0gBIIBlTCCAZEwggGNBgsrBgEE
AYO6L24BAjCCAXwwggE2BggrBgEFBQcCAjCCASgMggEkVGhpcyBDZXJ0aWZpY2F0
ZSBpcyBzb2xlbHkgZm9yIHVzZSB3aXRoIFJhaWRpYW0gU2VydmljZXMgTGltaXRl
ZCBhbmQgb3RoZXIgcGFydGljaXBhdGluZyBvcmdhbmlzYXRpb25zIHVzaW5nIFJh
aWRpYW0gU2VydmljZXMgTGltaXRlZHMgVHJ1c3QgRnJhbWV3b3JrIFNlcnZpY2Vz
LiBJdHMgcmVjZWlwdCwgcG9zc2Vzc2lvbiBvciB1c2UgY29uc3RpdHV0ZXMgYWNj
ZXB0YW5jZSBvZiB0aGUgUmFpZGlhbSBTZXJ2aWNlcyBMdGQgQ2VydGljaWNhdGUg
UG9saWN5IGFuZCByZWxhdGVkIGRvY3VtZW50cyB0aGVyZWluLjBABggrBgEFBQcC
ARY0aHR0cDovL3JlcG9zaXRvcnkucGtpLWcyLnNhbmRib3gucmFpZGlhbS5pby9w
b2xpY2llczANBgkqhkiG9w0BAQsFAAOCAQEAjwdNXp4KUH9NYWW9BViaVwiKvGt2
fzhKrmZncmwS6Mlrbi35fc+7/hkGMGvN0JDB2hVHYRQBd6Occe/k0knFmGcXOjUY
nT7vaqn3wliahqdOShD8UZ2HvXV6sa4uX1DInzLaXmOFIfU71XqIzoQecE0Cf9Rc
NePC2/xyCKZmuAGGMArUu2UAQYb/QTsKX7KVbxtm4bF8Zb6p9QyrcI8BTa+9qPQm
Mws9OjPD3nJvXe0qzBFy54cY1hk7NVwphQhVwJ5ZO4X194X0Y/6w5GV87Y+iZqbk
Qu7GOAMF2rxNGkveI7cBjDfVOs5qd1EZ9wFB7u00px+GTeGyTeXdZT3nmA==
-----END CERTIFICATE-----
Open Book IconTABLE OF CONTENT