🎄 Happy Holidays! 🥳
Most of Solace is closed December 24–January 1 so our employees can spend time with their families. We will re-open Thursday, January 2, 2024. Please expect slower response times during this period and open a support ticket for anything needing immediate assistance.
Happy Holidays!
Please note: most of Solace is closed December 25–January 2, and will re-open Tuesday, January 3, 2023.
Why should the private key be used in solace client authentication?
I see that we provide a path to a .key file which is the private key for client authentication using client certificates . I really want to understand why this is done?
a) where is the private key being used?
b) is it a secure practice to pass private keys? especially if the server is sitting in a vendor infrastructure which is vendor owned?
c) If the vendor get hold of the private key , can this key be used as a signing key for any certificates the vendor wants to spin up?
d) How is this superior to basic auth?
Answers
-
Hi @v1n48
Could you show us where you're reading about this? Maybe it needs a better/clearer explanation on this topic.
To my knowledge, private keys are just used for the client to sign something, and not actually passed to the broker. On the broker side we then just need the CA cert so the broker trusts/able to authenticate your client certs.
1 -
Here is the documentation on using client cert for authentication
Here is a sample implementation:
event.container.ssl.client.set_trusted_ca_db(path to CA public key)
event.container.ssl.client.set_peer_authentication(SSLdomain.Verify_peer)
event.container.ssl.client.set_credentials(certpath,keypath)here i understand that path to CA public key is the public key of the CA which is signing the cert on the broker. which is verified by the client for encryption using SSLdomain.verify_peer
the set_credential(certpath) is the path to the client CA signed cert
is the keypath the private key corresponding to the public key used in the CSR for the client certificate? if so is this just used in the verifycertificate call during the client authentication?
0