1. Transport Certificates
Cert Name | Description | Issuer | Private Key held by | CSR generated by | Certificate Generated by | Actions required by LFI | |
|---|---|---|---|---|---|---|---|
C1 | Identifies the TPP to API Hub | OFTF | TPP | TPP | TPP | None | |
S2 | Identifies non mtls API Hub endpoints to TPP | Lets Encrypt | API Hub | NA | API Hub | None | |
S1 | Identifies mtls API Hub endpoints to TPP | OFTF | API Hub | API Hub | LFI | Yes | API Hub will provide a CSR with the SAN defined. |
C4 | Identifies API Hub to LFI’s API Hub Connect endpoint | OFTF | API Hub | API Hub | API Hub | None | |
S3 | Identifies | OFTF | API Hub | API Hub | LFI | Yes | API Hub will provide a CSR LFI must sign the CSR on the OFTF under the Organisation Certificates section |
S4 | Identifies LFI’s API Hub Connect endpoint to API Hub | OFTF | LFI | LFI | LFI | Yes | Scripts are available in the OFTF to assist with CSR generation. Please note that a SAN must be included in this certificate to match the hostname of your Ozone Connect server. |
C3 | Identifies LFI to the | OFTF | LFI | LFI | LFI | Yes | Scripts are available in the OFTF to assist with CSR generation. LFI must create an application called
|
Item | Description | Issuer | Private Key Held By | CSR Generated by | Certificate Generated by | Action required by LFI | JWKS |
|---|---|---|---|---|---|---|---|
Sig1 | Used by the TPP to sign requests sent to the API Hub (e.g. for signing the private-key-jwt, par request object etc) API Hub will use the public key in the OFTF JWKS to verify the signature | OFTF | TPP | TPP | TPP | None | TPP’s JWKS identified by the Hosted in OFTF |
Sig2 | Used by the API Hub to sign responses sent to the TPP This includes signed messages from the resource server and the signature on the id_token. The TPP will use the public key in the JWKS to verify the signature | OFTF | API Hub | API Hub | LFI | Yes | LFI’s JWKS identified by the Hosted in OFTF |
Sig3 | Used by the API Hub to sign requests sent to the the LFI API Hub will use the public key in the JWKS to verify the signature | OFTF | API Hub | API Hub | API Hub | None | API Hub’s JWKS hosted in OFTF Only required if one of these conditions is true:
|
Sig4 | Used by the LFI to sign requests sent to API Hub LFI will use the public key in the JWKS to verify the signature | OFTF | LFI | API Hub (to assist LFI) | LFI | Yes | LFI’s JWKS hosted in OFTF Only required if the LFI requires JWT Auth for Application Layer Authentication to CM and HH LFI must create an application called
|
2. Encryption Keys & Certs
Item | Description | Issuer | Private Key Held By | CSR Generated by | Certificate Generated by | Action required by LFI | JWKS |
|---|---|---|---|---|---|---|---|
Enc1 | Used by the TPP to encrypt PII sent to the API Hub that can only be read by the LFI The PII payloads are encrypted using the LFI’s public key in the JWKS The LFI decrypts them using their private key | OFTF | LFI | LFI | LFI | Yes | LFI’s JWKS identified by the Hosted in LFI’s JWKS on OFTF and is automatically created when certificates are signed. LFI must sign the CSR on the OFTF under the Organisation Certificates section |
3. Creating certificates
Further information will be shared via the API Hub service desk, including CSRs. For more detailed information please see the example form Pre-Production Environment Specific Configuration
Environment Considerations
OFTF Sandbox is used to issue certificates in the pre-production environment.
OFTF Production is used to issue certificates in the production environment.
Certificate Generation for S1, S3 & Sig2 (Private Key Held by API Hub)
These certificates should be created under Organisation Certificates
API Hub generates private keys for the certificates.
API Hub generates Certificate Signing Requests (CSRs) and provides them to the LFI.
S1 & S3 must contain the appropriate Subject Alternative Names (SANs) used for domain validation.
LFI uses the appropriate OFTF directory (Sandbox or Prod) to generate the certificates under the Organisation Certificates section.
LFI provides the JWKS URL and KID. The JWKS and KID is managed by the OFTF and will be automatically created when the certificates are signed.
Certificate Generation for C3 & Sig4 (Private Key Held by LFI)
These certificates are used by the LFI for communication to the API Hub.
LFI uses the appropriate OFTF directory (Sandbox or Prod) and creates an Application called
C3-hh-cm-clientLFI generates the private key & CSR in the
C3-hh-cm-clientunder App Certificates using the script provided on the OFTFLFI signs the CSRs in the
C3-hh-cm-clientunder App CertificatesLFI provides the JWKS URL and KID on the confluence form
Certificate Generation for S4 & Enc1 (Private Key Held by LFI)
These certificates should be created under Organisation Certificates
LFI uses the appropriate OFTF directory (Sandbox or Prod) and generates the private key & CSR using the script provided on the OFTF
S4 must contain the appropriate Subject Alternative Names (SANs) used for domain validation.
LFI uses the appropriate OFTF directory (Sandbox or Prod) to generate the certificates under the Organisation Certificates section.
LFI provides the JWKS URL and KID. The JWKS and KID is managed by the OFTF and will be automatically created when the certificates are signed.
*The OFTF Sandbox is used for signing certificates for the pre-production environment and the OFTF Production is used for signing certificates for the Production environment.