Transport Certificates

Cert Name	Description	Issuer	Private Key held by	CSR generated by	Certificate Generated by	Actions required by LFI

Cert Name	Description	Issuer	Private Key held by	CSR generated by	Certificate Generated by	Actions required by LFI
C1	Identifies the TPP to OFP	OFTF	TPP	TPP	TPP	None
S2	Identifies non mtls OFP endpoints to TPP	Lets Encrypt	Ozone	NA (uses ACME protocol)	Ozone	None
S1	Identifies mtls OFP endpoints to TPP	OFTF	Ozone	Ozone	LFI	Yes	Ozone will provide a CSR and the LFI should use the OFTF to produce the certificate
C4	Identifies OFP to LFI’s Ozone Connect endpoint	OFTF	Ozone	Ozone	LFI	Yes
S3	Identifies `cm-pub` and `hh-pub` endpoints to LFI	OFTF	Ozone	Ozone	LFI	Yes
S4	Identifies LFI’s Ozone Connect endpoint to Ozone	OFTF	LFI	LFI	LFI	Yes	Ozone will provide scripts to the LFI to assist with CSR generation if requested The subject of the C3 certificate should be provided to Ozone. Ozone will limit access to certificates issued by OFTF AND having that specific subject
C3	Identifies LFI to the `cm-pub` and `hh-pub` endpoints	OFTF	LFI	LFI	LFI	Yes

Item	Description	Issuer	Private Key Held By	CSR Generated by	Certificate Generated by	Action required by LFI	JWKS

Item	Description	Issuer	Private Key Held By	CSR Generated by	Certificate Generated by	Action required by LFI	JWKS
Sig1	Used by the TPP to sign requests sent to the OFP (e.g. for signing the private-key-jwt, par request object etc) OFP will use the public key in the OFTF JWKS to verify the signature	OFTF	TPP	TPP	TPP	None	TPP’s JWKS identified by the `jwks_url` for the client. Hosted in OFTF
Sig2	Used by the OFP to sign responses sent to the TPP. This includes signed messages from the resource server and the signature on the id_token. The TPP will use the public key in the JWKS to verify the signature	OFTF	Ozone	Ozone	LFI	Yes	LFI’s JWKS identified by the `jwks_url` in the OFP’s well-known endpoint. Hosted in OFTF
Sig3	Used by the OFP to sign requests sent to the the LFI. OFP will use the public key in the JWKS to verify the signature.	OFTF	Ozone	Ozone	LFI	Yes	LFI’s JWKS hosted in OFTF Only required if one of these conditions is true: the LFI requires Jwt Auth for Application Layer Authentication to Ozone Connect the LFI uses Client Credentials Grant for Application Layer Authentication to Ozone Connect and client authentication is set to `private_key_jwt`
Sig4	Used by the LFI to sign requests sent to OFP. LFI will use the public key in the JWKS to verify the signature	OFTF	LFI	Ozone (to assist LFI)	LFI	Yes	LFI’s JWKS hosted in OFTF Only required if the LFI requires Jwt Auth for Application Layer Authentication to CM and HH

Encryption Keys & Certs

Item	Description	Issuer	Private Key Held By	CSR Generated by	Certificate Generated by	Action required by LFI	JWKS

Item

Description

Issuer

Private Key Held By

CSR Generated by

Certificate Generated by

Action required by LFI

JWKS

Enc1

Used by the TPP to encrypt PII sent to the OFP that can only be read by the LFI

The PII payloads are signed using the LFI’s public key in the JWKS

The LFI decrypts them using their private key

OFTF

LFI

Yes

LFI’s JWKS identified by the jwks_url in the OFP’s well-known endpoint.

Hosted in LFI’s JWKS on OFTF

Ozone can provide scripts to generate the CSR if requested by the LFI.