1. Transport Certificates
Cert Name | Description | Issuer | Private Key held by | CSR generated by | Certificate Generated by | Actions required by LFI | |
|---|---|---|---|---|---|---|---|
C1 | Identifies the TPP to API Hub | OFTF | TPP | TPP | TPP | None | |
S2 | Identifies non mtls API Hub endpoints to TPP | Lets Encrypt | API Hub | NA | API Hub | None | |
S1 | Identifies mtls API Hub endpoints to TPP | OFTF | API Hub | API Hub | LFI | Yes | API Hub will provide a CSR and the LFI should use the OFTF to produce the certificate |
C4 | Identifies API Hub to LFI’s API Hub Connect endpoint | OFTF | API Hub | API Hub | API Hub | None | |
S3 | Identifies | OFTF | API Hub | API Hub | LFI | Yes | API Hub will provide a CSR and the LFI should use the OFTF to produce the certificate |
S4 | Identifies LFI’s API Hub Connect endpoint to API Hub | OFTF | LFI | LFI | LFI | Yes | Scripts are available in the OFTF to assist with CSR generation if requested The subject of the C3 certificate should be provided to API Hub. API Hub will limit access to certificates issued by OFTF AND having that specific subject |
C3 | Identifies LFI to the | OFTF | LFI | LFI | LFI | Yes |
Item | Description | Issuer | Private Key Held By | CSR Generated by | Certificate Generated by | Action required by LFI | JWKS |
|---|---|---|---|---|---|---|---|
Sig1 | Used by the TPP to sign requests sent to the API Hub (e.g. for signing the private-key-jwt, par request object etc) API Hub will use the public key in the OFTF JWKS to verify the signature | OFTF | TPP | TPP | TPP | None | TPP’s JWKS identified by the Hosted in OFTF |
Sig2 | Used by the API Hub to sign responses sent to the TPP This includes signed messages from the resource server and the signature on the id_token. The TPP will use the public key in the JWKS to verify the signature | OFTF | API Hub | API Hub | LFI | Yes | LFI’s JWKS identified by the Hosted in OFTF |
Sig3 | Used by the API Hub to sign requests sent to the the LFI API Hub will use the public key in the JWKS to verify the signature | OFTF | API Hub | API Hub | API Hub | None | API Hub’s JWKS hosted in OFTF Only required if one of these conditions is true:
|
Sig4 | Used by the LFI to sign requests sent to API Hub LFI will use the public key in the JWKS to verify the signature | OFTF | LFI | API Hub (to assist LFI) | LFI | Yes | LFI’s JWKS hosted in OFTF Only required if the LFI requires JWT Auth for Application Layer Authentication to CM and HH |
2. Encryption Keys & Certs
Item | Description | Issuer | Private Key Held By | CSR Generated by | Certificate Generated by | Action required by LFI | JWKS |
|---|---|---|---|---|---|---|---|
Enc1 | Used by the TPP to encrypt PII sent to the API Hub that can only be read by the LFI The PII payloads are encrypted using the LFI’s public key in the JWKS The LFI decrypts them using their private key | OFTF | LFI | LFI | LFI | Yes | LFI’s JWKS identified by the Hosted in LFI’s JWKS on OFTF API Hub can provide scripts to generate the CSR if requested by the LFI |
3. Creating certificates
Further information will be shared via the API Hub service desk, including CSRs. For more detailed information please see the example form Pre-Production Environment Specific Configuration
These steps are repeated for S1 S3 Sig2 - where the private keys is held by the API Hub
API Hubto generate private keys for the certificatesAPI Hubto generate CSRs and hand over toLFILFIto generate certificates on the OFTF directory*LFIto provide JWKS URL and KID
These steps are repeated for C3 S4 - where the private key is held by the LFI
LFIto generate private key for the certificateLFIto generate CSRLFIto generate the certificate from the OFTF directory*LFIto provide JWKS URL and KID
These steps are repeated for Sig3 and C4-where the private keys is held by the API Hub
API Hubto generate private keys for the certificatesAPI Hubto generate CSRsAPI Hubto generate certificates on OFTF directory*API Hubto provide JWKS URL and KID to the LFI
Environment Considerations
OFTF Sandbox is used to issue certificates in the pre-production environment.
OFTF Production is used to issue certificates in the production environment.
Certificate Generation for S1 & Sig2 (Private Key Held by API Hub)
These certificates are used for communications between TPPs and the API Hub and should be created at the Organisation level.
API Hub generates private keys for the certificates.
API Hub generates Certificate Signing Requests (CSRs) and provides them to the LFI.
S1 will contain the appropriate Subject Alternative Names (SANs) used for domain validation.
LFI uses the appropriate OFTF directory (Sandbox or Prod) to generate the certificates under the Organisation Certificates section.
LFI provides the JWKS URL and KID. The JWKS and KID is managed by the OFTF and will be automatically created when the certificates are signed.
Certificate Generation for C3, S4 & Sig4 (Private Key Held by LFI)
These certificates are used by the LFI for communication to the API Hub
LFI generates the private key for the certificate.
LFI generates the CSR.
LFI generates the certificate using the OFTF directory.
LFI provides the JWKS URL and KID.
*The OFTF Sandbox is used for signing certificates for the pre-production environment and the OFTF Production is used for signing certificates for the Production environment.