Certificate Management Service

1. Introduction

Certificate Management Service is an API based as well as CLI based application service which helps in generating self-signed certificates. A certificate is essential for securing a server or application form malicious attack. A malicious attack can be defined as gaining access to the information that is send between server and client. This is knowns as a man-in-the-middle attack.

In order to secure the application, the server needs to trust the client and the client needs to trust the server before establishing any communication. This is done with the help of certificates and the process is known as mutual authentication.

Certificate Management Service helps in generating Root certificate and intermediate certificates. These intermediate certificate signs the client certificate which can be distributed to the clients for mutual authentication.

Certificate revocation is also supported in Certificate Management Service. Once a certificate is revoked, it cannot be used for authentication.

1.1 Intended Audience

The intended Audience of this document is anyone who wants to have an overview of TCUP Certificate Management Service. After reading this document user will understand the capability of TCUP Certificate Management Service.

2. Key Concepts

In order to use Certificate Management Service, a user needs to understand some of the basic concepts of the service. Please refer to the following section:

2.1 CA / Root Certificate

Root certificates are self-signed public key certificate and it identifies certificate authority. It forms the basis of an X.509-based public key infrastructure (PKI). Root certificate forms the root of the chain of trust. The chain of trust consists of the intermediate certificate and the server and client certificates. CMS helps in generating root Certificate.

2.2 Intermediate Certificate

Intermediate Certificate stands between the root certificate and the server and client certificates. It forms the second layer in the chain of trust. Root certificate signs the intermediate certificate and intermediate certificate signs all the server and client certificates. Intermediate certificate acts as a proxy for signing client and server certificates thus helping in securing the root certificate.

2.3 Certificate Revocation

It is the act of invalidating a certificate before its scheduled expiration date. A certificate should be revoked immediately if its private key is compromised. When the domain for which the certificate was issued is no longer operational, it is required to revoke.

CMS provides a certificate revocation feature

2.4 CRL (Certificate Revocation List)

Certificates that are revoked are stored in CRL. The CRL contains the certificate’s serial number and the revocation time.

When a client tries to initiate a connection with a server, the server checks for the serial number of the client certificate in the CRL. If the serial number is present in the CRL the server considers it as invalid certificate thus prevents in establishing further communication.

3. Functional Capabilities

The Certificate Management Service provides the following functional capabilities:

  • Generate Root Certificate – CMS allows to generate Root certificate. Only one root certificate can be created at a time. If the root certificate is corrupted, then it sould be deleted in order to create a new root certificate. Root Certificate is used to generate intermediate certificate and self-signed certificate which will create a chain of trust.

  • Get Root Certificate – Allows to get details of the public key of the generated Root certificate.

  • Delete Root Certificate – Allows to delete Root certificate if it gets corrupted or compromised. Once the root certificate is deleted, the total chain of trust, that is the intermediate certificate and the server and client certificates, gets deleted along with it. A new root certificate is required to be generated in order to generate new chain of trust.

  • Create Intermediate Certificate – CMS helps in generating multiple intermediate certificates of different domain names and a set of server certificate and multiple client certificates associated with each intermediate certificate. The client is verified by the server with the help of the trust chain.

  • Create Role Based Certificate – Allows to generate server and client certificate associated with one intermediate certificate. Each certificate is identified by a role and associated with an expiry time. Server certificates encrypt data-in-transit. Client certificates are used to authenticate the client (user) identity to the server.

  • Get Certificate Details – Allows to get the details of server or client certificate.

  • Download certificates – Allows to download server certificate and server key, client certificate and client key, intermediate certificate chain. These client certificates are distributed to the clients. The server side contains the server certificate and the intermediate certificate chain. The intermediate certificate chain contains the intermediate certificate and the root certificate. Server certificates and the intermediate certificate chain are used to authenticate server identity to the client(s).

  • Certificate Revocation – Allows to revoke a certificate before its expiry date if the certificate is compromised. A revoked certificate can no longer be used for authentication. The server will not trust the client with revoked certificate.

  • Bulk Certificate Revocation – Allows to revoke certificates in bulk for multiple clients.

  • Certificate Validation Check – Allows to check if a certificate is a valid certificate or revoked certificate.

  • Download CRL – Allows to download the certificate revocation list. This list is required to be configured in the server side for checking the validity of the client certificate.

4. Purpose/Usage

Certificate Management Services allows to generate client and server certificate signed against a root of trust, as a certificate authority. These certificates can be used by internal and external users.

The certificate generated provides:

  • Mutual authentication that is it helps in validating the identity of server and client.

  • Encryption that is it helps in encrypting the data that is transferred.

5. Examples

Consider an example of sports vehicle manufacturer. TCUP edge gateway device is required to be mounted on the vehicle for monitoring different parameters. The edge device gateway will connect via internet and post necessary data to TCUP. In order to establish a secured connection between the edge device gateway and TCUP, both the parties need to trust each other with the help mutual authentication.

Certificate Management Service will help in generating the Root Certificate and chain of trust, thus helping in mutual authentication. The following are the steps for generating certificates and mutual authentication using CMS:

  1. Generate Root Certificate

  2. Generate Intermediate Certificate with a domain name

  3. Generate server certificate and key

  4. Generate client certificate and key

  5. Download the server certificate, server key and intermediate certificate chain of trust and store it in the server side

  6. Download the client certificate and key and store it in the client side.

In a mutual authentication process, a secured connection can be established if the client (here edge gateway device) and the server (here TCUP) exchange, verify, and trust each other’s certificates. The certificate exchange occurs by means of the Transport Layer Security (TLS) protocol. The client produces the certificate to the server where the server trusts the certificate and vice versa.

If the certificate is compromised, it can be revoked and thus the chain of trust is broken, and connection will not be established.

6. Reference Document

For more details about this service please refer the following documents

  1. User guide

  2. API Guide