Cert Name | Description | Issuer | Private Key held by | CSR generated by | Certificate Generated by | Actions required by LFI | |
|---|---|---|---|---|---|---|---|
C1 | Identifies the TPP to API Hub | OFTF | TPP | TPP | TPP | None | |
S2 | Identifies non mtls API Hub endpoints to TPP | Lets Encrypt | API Hub | NA | API Hub | None | |
S1 | Identifies mtls API Hub endpoints to TPP | OFTF | API Hub | API Hub | LFI | Yes | API Hub will provide a CSR with the SAN defined. |
C4 | Identifies API Hub to LFI’s API Hub Connect endpoint | OFTF | API Hub | API Hub | API Hub | None | |
S3 | Identifies | OFTF | API Hub | API Hub | LFI | Yes | API Hub will provide a CSR LFI must sign the CSR on the OFTF under the Organisation Certificates section |
S4 | Identifies LFI’s API Hub Connect endpoint to API Hub | OFTF | LFI | LFI | LFI | Yes | Scripts are available in the OFTF to assist with CSR generation. Please note that a SAN must be included in this certificate to match the hostname of your Ozone Connect server. |
C3 | Identifies LFI to the | OFTF | LFI | LFI | LFI | Yes | Scripts are available in the OFTF to assist with CSR generation. LFI must create an application called
|
Item | Description | Issuer | Private Key Held By | CSR Generated by | Certificate Generated by | Action required by LFI | JWKS |
|---|---|---|---|---|---|---|---|
Sig1 | Used by the TPP to sign requests sent to the API Hub (e.g. for signing the private-key-jwt, par request object etc) API Hub will use the public key in the OFTF JWKS to verify the signature | OFTF | TPP | TPP | TPP | None | TPP’s JWKS identified by the Hosted in OFTF |
Sig2 | Used by the API Hub to sign responses sent to the TPP This includes signed messages from the resource server and the signature on the id_token. The TPP will use the public key in the JWKS to verify the signature | OFTF | API Hub | API Hub | LFI | Yes | LFI’s JWKS identified by the Hosted in OFTF |
Sig3 | Used by the API Hub to sign requests sent to the the LFI API Hub will use the public key in the JWKS to verify the signature | OFTF | API Hub | API Hub | API Hub | None | API Hub’s JWKS hosted in OFTF Only required if one of these conditions is true:
|
Sig4 | Used by the LFI to sign requests sent to API Hub LFI will use the public key in the JWKS to verify the signature | OFTF | LFI | API Hub (to assist LFI) | LFI | Yes | LFI’s JWKS hosted in OFTF Only required if the LFI requires JWT Auth for Application Layer Authentication to CM and HH LFI must create an application called
|
Item | Description | Issuer | Private Key Held By | CSR Generated by | Certificate Generated by | Action required by LFI | JWKS |
|---|---|---|---|---|---|---|---|
Enc1 | Used by the TPP to encrypt PII sent to the API Hub that can only be read by the LFI The PII payloads are encrypted using the LFI’s public key in the JWKS The LFI decrypts them using their private key | OFTF | LFI | LFI | LFI | Yes | LFI’s JWKS identified by the Hosted in LFI’s JWKS on OFTF and is automatically created when certificates are signed. LFI must sign the CSR on the OFTF under the Organisation Certificates section |
Further information will be shared via the API Hub service desk, including CSRs. For more detailed information please see the example form Pre-Production Environment Specific Configuration |
OFTF Sandbox is used to issue certificates in the pre-production environment.
OFTF Production is used to issue certificates in the production environment.
These certificates should be created under Organisation Certificates
API Hub generates private keys for the certificates.
API Hub generates Certificate Signing Requests (CSRs) and provides them to the LFI.
S1 & S3 must contain the appropriate Subject Alternative Names (SANs) used for domain validation.
LFI uses the appropriate OFTF directory (Sandbox or Prod) to generate the certificates under the Organisation Certificates section.
LFI provides the JWKS URL and KID. The JWKS and KID is managed by the OFTF and will be automatically created when the certificates are signed.
These certificates are used by the LFI for communication to the API Hub.
LFI uses the appropriate OFTF directory (Sandbox or Prod) and creates an Application called C3-hh-cm-client
LFI generates the private key & CSR in the C3-hh-cm-client under App Certificates using the script provided on the OFTF
LFI signs the CSRs in the C3-hh-cm-client under App Certificates
LFI provides the JWKS URL and KID on the confluence form
These certificates should be created under Organisation Certificates
LFI uses the appropriate OFTF directory (Sandbox or Prod) and generates the private key & CSR using the script provided on the OFTF
S4 must contain the appropriate Subject Alternative Names (SANs) used for domain validation.
LFI uses the appropriate OFTF directory (Sandbox or Prod) to generate the certificates under the Organisation Certificates section.
LFI provides the JWKS URL and KID. The JWKS and KID is managed by the OFTF and will be automatically created when the certificates are signed.
*The OFTF Sandbox is used for signing certificates for the pre-production environment and the OFTF Production is used for signing certificates for the Production environment.