I see that we provide a path to a .key file which is the private key for client authentication using client certificates . I really want to understand why this is done?
a) where is the private key being used?
b) is it a secure practice to pass private keys? especially if the server is sitting in a vendor infrastructure which is vendor owned?
c) If the vendor get hold of the private key , can this key be used as a signing key for any certificates the vendor wants to spin up?
d) How is this superior to basic auth?
I think this may be used for sign some verification messages that shows that the client cert is owned by the right person. I think this may be the use case but just want to clarify if the private key is actually passed to the broker or not?
Hi @v1n48
Could you show us where you’re reading about this? Maybe it needs a better/clearer explanation on this topic.
To my knowledge, private keys are just used for the client to sign something, and not actually passed to the broker. On the broker side we then just need the CA cert so the broker trusts/able to authenticate your client certs.
Here is the documentation on using client cert for authentication
Here is a sample implementation:
event.container.ssl.client.set_trusted_ca_db(path to CA public key)
event.container.ssl.client.set_peer_authentication(SSLdomain.Verify_peer)
event.container.ssl.client.set_credentials(certpath,keypath)
here i understand that path to CA public key is the public key of the CA which is signing the cert on the broker. which is verified by the client for encryption using SSLdomain.verify_peer
the set_credential(certpath) is the path to the client CA signed cert
is the keypath the private key corresponding to the public key used in the CSR for the client certificate? if so is this just used in the verifycertificate call during the client authentication?
Yep, this is for ‘using the JMS API’ to connect your JMS client to the broker. It’s just on the API level, in other words, it’s just the application program that needs to know where/how to use the keystore.