Options
Distributing client certificates
MitM
Member Posts: 622 ■■■■□□□□□□
Need some advice from the TE Family 
Our developers are working on a solution to allow outside business partners to make api calls into our ERP system. They plan to use mutual authentication using certificates. I have an internal PKI system (ADCS), so my thought is issue certificates from our internal PKI, as opposed to using a 3rd party CA.
The developers seem to think the best solution is to use 1 client certificate for ALL of the business partners. This does not make sense to me, at all. I'm suggesting each business partner would get their own certificate.
Also, they seem to think we will distribute this certificate to the business partner. I don't like this either. Why would you distribute a certificate with the private key? I would think, have the business partner generate the CSR, I'll supply that to our internal PKI and issue them the certificate.
Am I way off? Am I being paranoid? I'm not a developer, this is outside my comfort zone.
Our developers are working on a solution to allow outside business partners to make api calls into our ERP system. They plan to use mutual authentication using certificates. I have an internal PKI system (ADCS), so my thought is issue certificates from our internal PKI, as opposed to using a 3rd party CA.
The developers seem to think the best solution is to use 1 client certificate for ALL of the business partners. This does not make sense to me, at all. I'm suggesting each business partner would get their own certificate.
Also, they seem to think we will distribute this certificate to the business partner. I don't like this either. Why would you distribute a certificate with the private key? I would think, have the business partner generate the CSR, I'll supply that to our internal PKI and issue them the certificate.
Am I way off? Am I being paranoid? I'm not a developer, this is outside my comfort zone.
Comments
-
Options
SteveLavoie
Member Posts: 1,133 ■■■■■■■■■□
1 certificate does not make sense at all.
1 certificate per business partner is the way to go. If you can distribute your certificate safely(encrypted USB key or encrypted archive by example), this way it would help you manage less support call. However, if you let people generate CSR etc.. expect to have a lot of support call as not every IT guy are familiar with certificate management. -
OptionsMitM
Member Posts: 622 ■■■■□□□□□□
Good call on the encrypted archive. Thanks!SteveLavoie said:1 certificate does not make sense at all.
1 certificate per business partner is the way to go. If you can distribute your certificate safely(encrypted USB key or encrypted archive by example), this way it would help you manage less support call. However, if you let people generate CSR etc.. expect to have a lot of support call as not every IT guy are familiar with certificate management. -
OptionsSteveLavoie
Member Posts: 1,133 ■■■■■■■■■□
@MitM and send the password with an out-of-band technique either SMS, phone call, or even a plain old fax
-
OptionsMitM
Member Posts: 622 ■■■■□□□□□□
Thanks @SteveLavoie, will do.
Right now, trying to determine if the mutual auth is really necessary. We're using secret keys, similar to how Amazon does it -
OptionsSteveLavoie
Member Posts: 1,133 ■■■■■■■■■□
Sorry, I can't tell you. Prefer to say that than to say BS..
-
Optionspaul78
Member Posts: 3,016 ■■■■■■■■■■
My suggestion is that you shouldn't distribute an actually keypair. The way that I've normally implemented TLS mutual auth is to require that the customer or vendor provide a CSR and then we sign it with our private CA and return the certificate. That way - the private key is never exchanged and each party retains control of their private keys which significantly reduces the risk for both parties.If you are passing private keys around - it kinda defeats the benefit of using public-key cryptography.
