Client Certificate Key Exchange
For 3rd party contributors, there are two environments of the Open Innovation (OI) Data Provider available for consumption:
https://oi-dataprovider-uat.edge.central1.cc
https://oi-dataprovider-production.edge.central1.cc
These HTTPS endpoints are protected with mutual Transport Layer Security (mTLS) and thus you need a combination of a private key and a public certificate to access the service. The private key file is a secret, and should never leave your organization. The private key will be generated by you, and the certificate will be issued by Central 1 Credit Union.
For macOS/Linux users:
- Generate an RSA private key with a key size of at least 4096 bits:
openssl genrsa -out sample.key 4096
- Generate a Certificate Signing Request, including your company name, your name and the requested environment (UAT or Production) in the subject:
openssl req -subj ‘/O=Company Name Goes Here/CN=Company Name Goes Here – UAT’ -new -key sample.key -out sample.csr
- Securely transmit the Certificate Signing Request (.csr) file to Central 1 for signing. Include your requesting IP Address(es) that will be accessing the service.
DO NOT transmit the key file outside your organization, and be diligent concerning what/who can access this key. - Upon approval, Central 1 will issue you a signed certificate (.crt) file and API Key valid for 1 year. You can inspect the Issuer to confirm:
openssl x509 -text –in sample.crt | grep Issuer
# the output will be:
Issuer: C = CA, O = Central 1, CN = Central 1 Extranet Enterprise CA - Test the certificate along with your private key if you are able to access the OI Data Provider for the requested environment:
curl ‘https://oi-dataprovider-uat.edge.central1.cc/ status’ –cert sample.crt –key sample.key curl -H ‘X-API-Key: YourApiKeyGoesHere’ ‘https:// oi-dataprovider -uat.edge.central1.cc/status/api-key’ —-cert sample.crt —-key sample.key
# should you ever need to combine the certificate and private key into a p12 keystore file, you can use the following:
# openssl pkcs12 -export -in sample.crt -inkey sample.key -out sample.p12 - Remember the certificate will expire. Take note of the Not After Validity and ensure to repeat the Client Certificate Key Exchange process at least 30 days before this date:
openssl x509 -text –in sample.crt | grep ‘Not After :’
For Windows users:
- Generate an RSA private key with a key size of at least 4096 bits. Include your company name, your name and the requested environment (UAT or
Production) in the subject:# Generate a CSR
New-Item .\request.inf -ItemType File -Value @’
[newrequest]
Subject = “CN=Your Name Goes Here – UAT, O=Company Name Goes Here”
Exportable = true
HashAlgorithm = Sha256
KeyAlgorithm = RSA
KeyLength = 4096
‘@
certreq.exe -New .\request.inf .\sample.csr - Securely transmit the Certificate Signing Request (.csr) file to Central 1 for signing. Include your requesting IP Address(es) that will be accessing the service.
- Upon approval, Central 1 will issue you a signed certificate (.crt) file and API Key valid for 1 year. You can inspect the Issuer to confirm:
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import(“$((Get-Location).Path)\sample.crt”)
$cert.Issuer
# for uat, the output will be:
# CN=Central 1 Extranet Enterprise CA, O=Central 1, C=CA - Import the Certificate into your Certificate Store:
Import-Certificate -FilePath .\sample.crt -CertStoreLocation Cert:\CurrentUser\My
- Test the certificate along with your private key if you are able to access the OI Data Provider for the requested environment:
Invoke-RestMethod -Uri ‘https://oi-dataprovider-uat.edge.central1.cc/ status’ -CertificateThumbprint (Get-ChildItem Cert:\CurrentUser\My | Where-Object -Property Subject -Eq -Value “CN=Your Name Goes Here – UAT, O=Company Name Goes Here”).Thumbprint Invoke-RestMethod -Headers @{‘X-API-Key’=’YourApiKeyGoesHere’} -Uri ‘https:// oi-dataprovider / -uat.edge.central1.cc/status/api-key ‘ – CertificateThumbprint (Get-ChildItem Cert:\CurrentUser\My | Where-Object -Property Subject -Eq -Value “CN=Your Name Goes Here – UAT, O=Company Name Goes Here”).Thumbprint
# should you ever need to export the certificate and private key into a p12 keystore file, you can use the following:
# Get-ChildItem Cert:\CurrentUser\My | Where-Object -Property Subject -Eq -Value “CN=Your Name Goes Here – UAT, O=Company Name Goes here” | Export-PfxCertificate -FilePath sample.pfx -Password (Read-Host -Prompt “Enter new password” -AsSecureString) - Remember the certificate will expire. Take note of the NotAfter and ensure to repeat the Client Certificate Key Exchange process at least 30 days before this date:
$cert.NotAfter