Distributing client certificates

Need some advice from the TE Family

Our developers are working on a solution to allow outside business partners to make api calls into our ERP system. They plan to use mutual authentication using certificates. I have an internal PKI system (ADCS), so my thought is issue certificates from our internal PKI, as opposed to using a 3rd party CA.

The developers seem to think the best solution is to use 1 client certificate for ALL of the business partners. This does not make sense to me, at all. I'm suggesting each business partner would get their own certificate.

Also, they seem to think we will distribute this certificate to the business partner. I don't like this either. Why would you distribute a certificate with the private key? I would think, have the business partner generate the CSR, I'll supply that to our internal PKI and issue them the certificate.

Am I way off? Am I being paranoid? I'm not a developer, this is outside my comfort zone.

Find more posts tagged with

Comments

SteveLavoie

1 certificate does not make sense at all.
1 certificate per business partner is the way to go. If you can distribute your certificate safely(encrypted USB key or encrypted archive by example), this way it would help you manage less support call. However, if you let people generate CSR etc.. expect to have a lot of support call as not every IT guy are familiar with certificate management.

MitM

SteveLavoie said:

1 certificate does not make sense at all.
1 certificate per business partner is the way to go. If you can distribute your certificate safely(encrypted USB key or encrypted archive by example), this way it would help you manage less support call. However, if you let people generate CSR etc.. expect to have a lot of support call as not every IT guy are familiar with certificate management.

Good call on the encrypted archive. Thanks!

SteveLavoie

@MitM and send the password with an out-of-band technique either SMS, phone call, or even a plain old fax

MitM

Thanks @SteveLavoie, will do.

Right now, trying to determine if the mutual auth is really necessary. We're using secret keys, similar to how Amazon does it

SteveLavoie

Sorry, I can't tell you. Prefer to say that than to say BS..

MitM

you and me both lol

paul78

My suggestion is that you shouldn't distribute an actually keypair. The way that I've normally implemented TLS mutual auth is to require that the customer or vendor provide a CSR and then we sign it with our private CA and return the certificate. That way - the private key is never exchanged and each party retains control of their private keys which significantly reduces the risk for both parties.

If you are passing private keys around - it kinda defeats the benefit of using public-key cryptography.

MitM

exactly my thoughts, Paul