Server/client mutual authentication with the Web Services PKCS #11 library
Linux
For details on the TLS connection setup, see WSOP TLS setup in the Web Services Option Pack User Guide.
Windows
The Web Services PKCS #11 Library can only communicate securely with a WSOP Server if the following certificates are installed:
-
The WSOP Server’s CA certificate.
-
An appropriate client certificate (with each PKCS #11 client using its own client certificate).
-
Any intermediate CA certificates that are to be used to form a complete chain to verify the client certificate on the WSOP Server.
For information on these certificates, WSOP TLS setup in the Web Services Option Pack User Guide.
-
Install the WSOP Server’s CA certificate into the
Root
store.
Below is an example of how you can do this usingcertutil.exe
.-
Add a CA certificate to the Root store
certutil.exe -addstore Root <ca_certificate.pem>
-
Check that the certificate has been installed:
certutil.exe -store Root
-
-
Install any intermediate CA certificates for the client certificate.
Below is an example of how you can do this by usingcertutil.exe
to load the client certificate’s intermediate certificates into the 'CA' certificate store:certutil.exe -addstore CA <intermediate_ca_certificate.pem>
-
Install the client certificate and its private key. This should be a PFX file that contains a single certificate and the associated private key.
The PFX must not contain the full certificate chain. For example, to install the PFX file in the Local Machine’s certificate store
certutil.exe -p <password> -importPFX [certificatestorename] <client-cert.pfx>
or to install the PFX file into the Current User’s certificate store
certutil.exe -p <password> -importPFX -user [certificatestorename] <client-cert.pfx>
-
If necessary, update the
pkcs11webservices.cfg
file so that-
The common name of the client certificate contained within the PFX file matches the CERTNAME config file entry.
-
The
certificatestorename
used here matches the CERTSTORE config file entry. -
The store type,
LocalMachine
orCurrentUser
matches the STORETYPE config file entry.
-
For details on the Windows config file entries, see Configuration parameters for Windows only