Why should the private key be used in solace client authentication?

v1n48 Member Posts: 3

I see that we provide a path to a .key file which is the private key for client authentication using client certificates . I really want to understand why this is done?
a) where is the private key being used?
b) is it a secure practice to pass private keys? especially if the server is sitting in a vendor infrastructure which is vendor owned?
c) If the vendor get hold of the private key , can this key be used as a signing key for any certificates the vendor wants to spin up?
d) How is this superior to basic auth?


  • v1n48
    v1n48 Member Posts: 3

    I think this may be used for sign some verification messages that shows that the client cert is owned by the right person. I think this may be the use case but just want to clarify if the private key is actually passed to the broker or not?

  • arih
    arih Member, Employee Posts: 125 Solace Employee

    Hi @v1n48

    Could you show us where you're reading about this? Maybe it needs a better/clearer explanation on this topic.

    To my knowledge, private keys are just used for the client to sign something, and not actually passed to the broker. On the broker side we then just need the CA cert so the broker trusts/able to authenticate your client certs.

  • v1n48
    v1n48 Member Posts: 3
    edited December 2021 #4

    @arih :smile:

    Here is the documentation on using client cert for authentication


    Here is a sample implementation:

    event.container.ssl.client.set_trusted_ca_db(path to CA public key)

    here i understand that path to CA public key is the public key of the CA which is signing the cert on the broker. which is verified by the client for encryption using SSLdomain.verify_peer

    the set_credential(certpath) is the path to the client CA signed cert

    is the keypath the private key corresponding to the public key used in the CSR for the client certificate? if so is this just used in the verifycertificate call during the client authentication?

  • arih
    arih Member, Employee Posts: 125 Solace Employee

    Yep, this is for 'using the JMS API' to connect your JMS client to the broker. It's just on the API level, in other words, it's just the application program that needs to know where/how to use the keystore.