Client Certificate Key Exchange

For 3rd party developers, there are two environments of the Open Innovation (OI) Data Provider available for consumption:

https://oi-dataprovider-uat.edge.central1.cc

https://oi-dataprovider-production.edge.central1.cc

These HTTPS endpoints are protected with mutual Transport Layer Security (mTLS) and thus you need a combination of a private key and a public certificate to access the service. The private key file is a secret, and should never leave your organization. The private key will be generated by you, and the certificate will be issued by Central 1 Credit Union.

For macOS/Linux users:

  1. Generate an RSA private key with a key size of at least 4096 bits:
    openssl genrsa -out sample.key 4096
  2. Generate a Certificate Signing Request, including your company name, your name and the requested environment (UAT or Production) in the subject:
    openssl req -subj ‘/O=Company Name Goes Here/CN=Company Name Goes Here – UAT’ -new -key sample.key -out sample.csr
  3. Securely transmit the Certificate Signing Request (.csr) file to Central 1 for signing. Include your requesting IP Address(es) that will be accessing the service.
    DO NOT transmit the key file outside your organization, and be diligent concerning what/who can access this key.
  4. Upon approval, Central 1 will issue you a signed certificate (.crt) file and API Key valid for 1 year. You can inspect the Issuer to confirm:
    openssl x509 -text –in sample.crt | grep Issuer
    # the output will be:
    Issuer: C = CA, O = Central 1, CN = Central 1 Extranet Enterprise CA
  5. Test the certificate along with your private key if you are able to access the OI Data Provider for the requested environment:
    curl ‘https://oi-dataprovider-uat.edge.central1.cc/ status’ –cert sample.crt –key sample.key curl -H ‘X-API-Key: YourApiKeyGoesHere’ ‘https:// oi-dataprovider -uat.edge.central1.cc/status/api-key’ —-cert sample.crt —-key sample.key
    # should you ever need to combine the certificate and private key into a p12 keystore file, you can use the following:
    # openssl pkcs12 -export -in sample.crt -inkey sample.key -out sample.p12
  6. Remember the certificate will expire. Take note of the Not After Validity and ensure to repeat the Client Certificate Key Exchange process at least 30 days before this date:
    openssl x509 -text –in sample.crt | grep ‘Not After :’

For Windows users:

  1. Generate an RSA private key with a key size of at least 4096 bits. Include your company name, your name and the requested environment (UAT or
    Production) in the subject:

    # Generate a CSR
    New-Item .\request.inf -ItemType File -Value @’
    [newrequest]
    Subject = “CN=Your Name Goes Here – UAT, O=Company Name Goes Here”
    Exportable = true
    HashAlgorithm = Sha256
    KeyAlgorithm = RSA
    KeyLength = 4096
    ‘@
    certreq.exe -New .\request.inf .\sample.csr
  2. Securely transmit the Certificate Signing Request (.csr) file to Central 1 for signing. Include your requesting IP Address(es) that will be accessing the service.
  3. Upon approval, Central 1 will issue you a signed certificate (.crt) file and API Key valid for 1 year. You can inspect the Issuer to confirm:
    $cert = New-Object
    System.Security.Cryptography.X509Certificates.X509Certificate2
    $cert.Import(“$((Get-Location).Path)\sample.crt”)
    $cert.Issuer
    # for uat, the output will be:
    # CN=Central 1 Extranet Enterprise CA, O=Central 1, C=CA
  4. Import the Certificate into your Certificate Store:
    Import-Certificate -FilePath .\sample.crt -CertStoreLocation Cert:\CurrentUser\My
  5. Test the certificate along with your private key if you are able to access the OI Data Provider for the requested environment:

    Invoke-RestMethod -Uri ‘https://oi-dataprovider-uat.edge.central1.cc/ status’ -CertificateThumbprint (Get-ChildItem Cert:\CurrentUser\My | Where-Object -Property Subject -Eq -Value “CN=Your Name Goes Here – UAT, O=Company Name Goes Here”).Thumbprint Invoke-RestMethod -Headers @{‘X-API-Key’=’YourApiKeyGoesHere’} -Uri ‘https:// oi-dataprovider / -uat.edge.central1.cc/status/api-key ‘ – CertificateThumbprint (Get-ChildItem Cert:\CurrentUser\My | Where-Object -Property Subject -Eq -Value “CN=Your Name Goes Here – UAT, O=Company Name Goes Here”).Thumbprint

    # should you ever need to export the certificate and private key into a p12 keystore file, you can use the following:
    # Get-ChildItem Cert:\CurrentUser\My | Where-Object -Property Subject -Eq -Value “CN=Your Name Goes Here – UAT, O=Company Name Goes here” | Export-PfxCertificate -FilePath sample.pfx -Password (Read-Host -Prompt “Enter new password” -AsSecureString)

  6. Remember the certificate will expire. Take note of the NotAfter and ensure to repeat the Client Certificate Key Exchange process at least 30 days before this date:
    $cert.NotAfter
Back to Top