Client Certificate to be Assigned by a 3rd Party Authority

Forums › IT Pro and developers › Client Certificate to be Assigned by a 3rd Party Authority

jimbob79

673 posts

Ultimate Geek
+1 received by user: 165

#228875 26-Jan-2018 20:19

So I'm working an on a new project that consuming Web Services (WSDL) through a Gateways Service. I need to provide username & password PLUS a Client Certificate X.509 as they are enforcing Mutual TLS connection.

However, I have found plenty of examples in creating a self-assigned certificate but the Gateway Service provider requires that the Client Certificate need to be issued via a 3rd Party Trusted Certificate Authority. Which CA providers will issue an x.509 Client Certificate?

Historically I've used LetsEncrypt, but they don't offer this kind of service.

What do I need to google for?

jimbob79

673 posts

Ultimate Geek
+1 received by user: 165

#1947326 26-Jan-2018 20:33

Xero has an example of creating the necessary cert for their application

openssl genrsa -out privatekey.pem 1024

openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825

openssl pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer

But their example publickey.cer file says it's not trusted.

marpada

487 posts

Ultimate Geek
+1 received by user: 182

#1947337 26-Jan-2018 21:09

Google 'managed PKI'. Probably outrageously expensive though.

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 842

Trusted

Lifetime subscriber

#1947398 27-Jan-2018 06:31

Or, if you have your own server, create your own CA, get it signed by the many CA's out there and then create any type of certificate you want?

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

itxtme

2102 posts

Uber Geek
+1 received by user: 557

#1947404 27-Jan-2018 07:48

IcI:

Or, if you have your own server, create your own CA, get it signed by the many CA's out there and then create any type of certificate you want?

lcl is correct, you will need to do it based on the IP/Domain that is consuming the resource otherwise it will fail as in be untrusted. x.509 Client Certificate is just a PEM format is it not? If so namecheaps commodo can provide those.

jimbob79

673 posts

Ultimate Geek
+1 received by user: 165

#1947424 27-Jan-2018 09:45

itxtme:

IcI:

Or, if you have your own server, create your own CA, get it signed by the many CA's out there and then create any type of certificate you want?

lcl is correct, you will need to do it based on the IP/Domain that is consuming the resource otherwise it will fail as in be untrusted. x.509 Client Certificate is just a PEM format is it not? If so namecheaps commodo can provide those.

I guess this where I'm getting confused. I have not found one CA that will Issues Client Certificates/Mutal Certificates/M2M/X.509. Have found lots of instructions about creating the Self-assign certs but they just say "Get this assigned by a trusted CA", but how?

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#1947828 28-Jan-2018 12:34

marpada:

Google 'managed PKI'. Probably outrageously expensive though.

We looked at that at my last job, got two quotes, both were well into 6 figures.. strangely enough that went nowhere lol.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

jimbob79

673 posts

Ultimate Geek
+1 received by user: 165

#1947848 28-Jan-2018 14:46

Lias:

marpada:

Google 'managed PKI'. Probably outrageously expensive though.

We looked at that at my last job, got two quotes, both were well into 6 figures.. strangely enough that went nowhere lol.

Eek!

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 842

Trusted

Lifetime subscriber

#1947945 28-Jan-2018 21:06

jimbob79: I guess this where I'm getting confused. I have not found one CA that will Issues Client Certificates/Mutal Certificates/M2M/X.509. Have found lots of instructions about creating the Self-assign certs but they just say "Get this assigned by a trusted CA", but how?

Install your own CA (certificate authority)
Create a CSR (certificate signing request) on your CA and submit to your favourite Third party CA. They will have instructions available for your platform.
Follow these instrcutions to create a code signing template: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md
Issue code signing template and verify the previous step worked.
Modify / create new template matching your requirements.
Profit

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.