Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


651 posts

Ultimate Geek
+1 received by user: 163


Topic # 228875 26-Jan-2018 20:19
Send private message

So I'm working an on a new project that consuming Web Services (WSDL) through a Gateways Service. I need to provide username & password PLUS a Client Certificate X.509 as they are enforcing Mutual TLS connection. 


However, I have found plenty of examples in creating a self-assigned certificate but the Gateway Service provider requires that the Client Certificate need to be issued via a 3rd Party Trusted Certificate Authority. Which CA providers will issue an x.509 Client Certificate? 


Historically I've used LetsEncrypt, but they don't offer this kind of service.  


What do I need to google for?






Create new topic


651 posts

Ultimate Geek
+1 received by user: 163


  Reply # 1947326 26-Jan-2018 20:33
Send private message

Xero has an example of creating the necessary cert for their application 

 

 

 

openssl genrsa -out privatekey.pem 1024

 

openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825

 

openssl pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer

 

But their example publickey.cer file says it's not trusted.

 

 

 






264 posts

Ultimate Geek
+1 received by user: 95


  Reply # 1947337 26-Jan-2018 21:09
Send private message

Google 'managed PKI'. Probably outrageously expensive though.


IcI

807 posts

Ultimate Geek
+1 received by user: 172

Trusted

  Reply # 1947398 27-Jan-2018 06:31
Send private message

Or, if you have your own server, create your own CA, get it signed by the many CA's out there and then create any type of certificate you want?


1626 posts

Uber Geek
+1 received by user: 275

Subscriber

  Reply # 1947404 27-Jan-2018 07:48
Send private message

IcI:

 

Or, if you have your own server, create your own CA, get it signed by the many CA's out there and then create any type of certificate you want?

 

 

 

 

lcl is correct, you will need to do it based on the IP/Domain that is consuming the resource otherwise it will fail as in be untrusted.   x.509 Client Certificate is just a PEM format is it not?  If so namecheaps commodo can provide those.




651 posts

Ultimate Geek
+1 received by user: 163


  Reply # 1947424 27-Jan-2018 09:45
Send private message

itxtme:

 

IcI:

 

Or, if you have your own server, create your own CA, get it signed by the many CA's out there and then create any type of certificate you want?

 

 

 

 

lcl is correct, you will need to do it based on the IP/Domain that is consuming the resource otherwise it will fail as in be untrusted.   x.509 Client Certificate is just a PEM format is it not?  If so namecheaps commodo can provide those.

 

 

 

 

I guess this where I'm getting confused. I have not found one CA that will Issues Client Certificates/Mutal Certificates/M2M/X.509.  Have found lots of instructions about creating the Self-assign certs but they just say "Get this assigned by a trusted CA", but how?






3455 posts

Uber Geek
+1 received by user: 1918

Trusted
Lifetime subscriber

  Reply # 1947828 28-Jan-2018 12:34
Send private message

marpada:

 

Google 'managed PKI'. Probably outrageously expensive though.

 

 

We looked at that at my last job, got two quotes, both were well into 6 figures.. strangely enough that went nowhere lol.

 

 

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.




651 posts

Ultimate Geek
+1 received by user: 163


  Reply # 1947848 28-Jan-2018 14:46
One person supports this post
Send private message

Lias:

 

marpada:

 

Google 'managed PKI'. Probably outrageously expensive though.

 

 

We looked at that at my last job, got two quotes, both were well into 6 figures.. strangely enough that went nowhere lol.

 

 

 

 

 

 

 

 

Eek! 






IcI

807 posts

Ultimate Geek
+1 received by user: 172

Trusted

  Reply # 1947945 28-Jan-2018 21:06
Send private message

jimbob79: I guess this where I'm getting confused. I have not found one CA that will Issues Client Certificates/Mutal Certificates/M2M/X.509.  Have found lots of instructions about creating the Self-assign certs but they just say "Get this assigned by a trusted CA", but how? 

 

     

  1. Install your own CA (certificate authority)
  2. Create a CSR (certificate signing request) on your CA and submit to your favourite Third party CA. They will have instructions available for your platform.
  3. Follow these instrcutions to create a code signing template: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md
  4. Issue code signing template and verify the previous step worked.
  5. Modify / create new template matching your requirements.
  6. Profit

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.