Client Certificate signed by CA

Hi All,

I'm interfacing with a bank API that requires a client certificate (signed by a third party CA) to be attached for certain requests (EG: initiating an ACH transaction).  My code will be deployed in the form of a DLL to multiple desktops within our office which can then be used by another windows application.  

So a few questions based around this:

Is it possible to configure all the clients to use the same hostname or does that present issues?  (We're natted, but we also have redundant internet connections so I'm worried about the source IP).

if it's just an X509 Certificate, is that the same thing as the coding certificate or is there some other kind of cert used for clients?

Best vendor for the kind of certificate needed?

Thanks in advanced.
LVL 42
Kyle AbrahamsSenior .Net DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Problem unclear

When they say they require a client certificate they should be explicit on what type of certificate they require.
David Johnson, CD, MVPOwnerCommented:
I am guessing that it is some sort of client authentication certificate
https://www.digicert.com/client-certificates/ which identifies the user, so each user that requires access must have their own certificate
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
Hi David,

I'm going to take a look into that.  Thinking we might be able to get away with one for the company . . . just use the same certificate per person, and have the application control who has access.

Still very early in the research phase, will let you know what I find but thanks for the lead.

-Kyle
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

David Johnson, CD, MVPOwnerCommented:
I rather doubt that only 1 certificate for the company will be acceptable.  You will need 1 certificate for each user that accesses their system.
ambienceCommented:
Your company's cert will probably not have the OID (purpose identifier) of a client certificate. Client certificates are bound to users not IP Addresses therefore you should be able to use the same certificate across different IP's. However, it is common for Banks and similar sensitive backends to limit the acceptable IP pool of the client -- additional security measures outside the realm of certificates -- which BTW wouldn't affect your code as that 's something to be handled by the network config.

Checkout http://www.cacert.org/, which provides free certification services.

Here's an idea (use certfs stored in the LDAP server).

        DirectoryEntry de = new DirectoryEntry("LDAP://#####");  //Where ##### is the name of your AD server
        DirectorySearcher dsearch = new DirectorySearcher(de);
        dsearch.Filter = "(cn=#####)"; //Search how you want.  Google "LDAP Filter" for more.
        SearchResultCollection rc = dsearch.FindAll();
        X509Certificate stt = new X509Certificate();

        foreach (SearchResult r in rc)
        {

            if (r.Properties.Contains("userCertificate"))
            {
                Byte[] b = (Byte[])r.Properties["userCertificate"][0];  //This is hard coded to the first element.  Some users may have multiples.  Use ADSI Edit to find out more.
                X509Certificate cert1 = new X509Certificate(b);
            }
        }

Open in new window


Ideally, you'd have code that uses the config files to adjust how it fetches client certificates. I can think of a ICertificateProvider

interface ICertificateProvider {
     X509Certificate2 LocateClientCertificate();
}

class LocalStoreCertificatePRovider : ICertificateProvider {
   // Open local Cert store and fetch cert (controlled using config)
}
class LDAPCertificateProvider :  : ICertificateProvider {
   // Fetch from LDAP (controlled using config)
}
.... Other possibilities

Open in new window



As for your question regarding types of certs. X509 is both a format for Certificate storage as well as a standard, alternates like PGP and OpenPGP exist, but considering the server to be a bank they'd more than likely rely on the Centralized Authentication Authorities of X509 rather than the decentralized "Web of trust" nature of PGP. Also SSL/TLS works with X509, so using SSL almost always means X509 certificates. Support for using PGP keys (certificates) with TLS is theoretically possible (https://tools.ietf.org/html/rfc5081) but very rare and unlikely that a Bank would accept it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
Thanks very much for the information.  I have a call today at 2:00 PM with digicert to get more information from them.  I'm thinking we can literally use the same cert and just keep the (virtual) user the same.  

Unfortunately no AD here as of yet - one of the many to dos on my list.

Will post back with the info that I find - but really appreciate the clarifications.
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
After talking with support it was confirmed that all we need is a client certificate and if we don't care about who is invoking the API we can get away with one client cert.  Thanks very much for the information.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.