Server/client mutual authentication
Overview
The nShield Web Services Key Storage Provider can only communicate securely with a Web Services server if the following certificates are installed:
-
The Web Services server’s CA certificate.
-
An appropriate client certificate (with each client using its own client certificate).
-
Any intermediate CA certificates that are to be used to form a complete chain to verify the client certificate on the Web Services server.
See the nShield Web Services Option Pack User Guide for further information concerning server/client authentication, as well as for important security guidance.
Installing certificates
The following guidance should be followed when installing certificates:
-
Install the Web Services server’s CA certificate into the
Root
store.
Below is an example of how you can do this usingcertutil.exe
.-
Add a CA certificate to the
Root
storecertutil.exe -addstore Root <ca_certificate.pem>
-
Check that the certificate has been installed:
certutil.exe -store Root
-
-
Install any intermediate CA certificates for the client certificate.
Below is an example of how you can do this by usingcertutil.exe
to load the client certificate’s intermediate certificates into theCA
certificate store:certutil.exe -addstore CA <intermediate_ca_certificate.pem>
-
Install the client certificate and its private key. This should be a PFX file that contains a single certificate and the associated private key.
The PFX must not contain the full certificate chain. For example, to install the PFX file in the Local Machine’s certificate store
certutil.exe -p <password> -importPFX [certificatestorename] <client-cert.pfx>
or to install the PFX file into the Current User’s certificate store
certutil.exe -p <password> -importPFX -user [certificatestorename] <client-cert.pfx>
To find the thumbprint of a certificate, use certutil.exe
to view the certificate’s properties, then select the Details
tab and scroll down to the Thumbprint
field.
For example, to view thumbprints in My
store.
certutil.exe -viewstore My
PowerShell can also be used to see the thumbprint on a list. In this example store is My
and store type is LocalMachine
.
Get-ChildItem -Path Cert:LocalMachine\My
If necessary, update client_cert_thumbprint
within cngwebservices.cfg
with the changed thumbprint (see Configuring the provider for further information).