Distributing client certificates

MitMMitM Member Posts: 622 ■■■■□□□□□□
Need some advice from the TE Family :)

Our developers are working on a solution to allow outside business partners to make api calls into our ERP system.  They plan to use mutual authentication using certificates. I have an internal PKI system (ADCS), so my thought is issue certificates from our internal PKI, as opposed to using a 3rd party CA.

The developers seem to think the best solution is to use 1 client certificate for ALL of the business partners. This does not make sense to me, at all. I'm suggesting each business partner would get their own certificate. 

Also, they seem to think we will distribute this certificate to the business partner.  I don't like this either. Why would you distribute a certificate with the private key?  I would think, have the business partner generate the CSR, I'll supply that to our internal PKI and issue them the certificate. 

Am I way off? Am I being paranoid? I'm not a developer, this is outside my comfort zone.

Comments

  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    1 certificate does not make sense at all.
    1 certificate per business partner is the way to go. If you can distribute your certificate safely(encrypted USB key or encrypted archive by example), this way it would help you manage less support call. However, if you let people generate CSR etc.. expect to have a lot of support call as not every IT guy are familiar with certificate management. 
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    1 certificate does not make sense at all.
    1 certificate per business partner is the way to go. If you can distribute your certificate safely(encrypted USB key or encrypted archive by example), this way it would help you manage less support call. However, if you let people generate CSR etc.. expect to have a lot of support call as not every IT guy are familiar with certificate management. 
    Good call on the encrypted archive. Thanks!
  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    edited January 2019
    @MitM and send the password with an out-of-band technique either SMS, phone call, or even a plain old fax
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    Thanks @SteveLavoie, will do.

    Right now, trying to determine if the mutual auth is really necessary.  We're using secret keys, similar to how Amazon does it
  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    Sorry, I can't tell you.  Prefer to say that than to say BS..
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    you and me both lol
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    My suggestion is that you shouldn't distribute an actually keypair. The way that I've normally implemented TLS mutual auth is to require that the customer or vendor provide a CSR and then we sign it with our private CA and return the certificate. That way - the private key is never exchanged and each party retains control of their private keys which significantly reduces the risk for both parties. 

    If you are passing private keys around - it kinda defeats the benefit of using public-key cryptography.

  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    exactly my thoughts, Paul
Sign In or Register to comment.