This space is deprecated and no longer supported. Please use the latest available version here.
Keys, Certificates & CSRs
- Chris Michael
- David Plews
- Chris Wood
1. Transport Certificates
Cert Name | Description | Issuer | Private Key held by | CSR generated by | Certificate Generated by | Actions required by LFI |
|
|---|---|---|---|---|---|---|---|
C1 | Identifies the TPP to OFP | OFTF | TPP | TPP | TPP | None |
|
S2 | Identifies non mtls OFP endpoints to TPP | Lets Encrypt | Ozone | NA | Ozone | None |
|
S1 | Identifies mtls OFP endpoints to TPP | OFTF | Ozone | Ozone | LFI | Yes | Ozone will provide a CSR and the LFI should use the OFTF to produce the certificate
|
C4 | Identifies OFP to LFI’s Ozone Connect endpoint | OFTF | Ozone | Ozone | LFI | Yes | |
S3 | Identifies | OFTF | Ozone | Ozone | LFI | Yes | |
S4 | Identifies LFI’s Ozone Connect endpoint to Ozone | OFTF | LFI | LFI | LFI | Yes | Scripts are available in the OFTF to assist with CSR generation if requested
The subject of the C3 certificate should be provided to Ozone. Ozone will limit access to certificates issued by OFTF AND having that specific subject |
C3 | Identifies LFI to the | OFTF | LFI | LFI | LFI | Yes |
Item | Description | Issuer | Private Key Held By | CSR Generated by | Certificate Generated by | Action required by LFI | JWKS |
|---|---|---|---|---|---|---|---|
Sig1 | Used by the TPP to sign requests sent to the OFP (e.g. for signing the private-key-jwt, par request object etc) OFP will use the public key in the OFTF JWKS to verify the signature | OFTF | TPP | TPP | TPP | None | TPP’s JWKS identified by the Hosted in OFTF |
Sig2 | Used by the OFP to sign responses sent to the TPP This includes signed messages from the resource server and the signature on the id_token. The TPP will use the public key in the JWKS to verify the signature | OFTF | Ozone | Ozone | LFI | Yes | LFI’s JWKS identified by the Hosted in OFTF |
Sig3 | Used by the OFP to sign requests sent to the the LFI OFP will use the public key in the JWKS to verify the signature | OFTF | Ozone | Ozone | LFI | Yes | LFI’s JWKS hosted in OFTF Only required if one of these conditions is true:
|
Sig4 | Used by the LFI to sign requests sent to OFP LFI will use the public key in the JWKS to verify the signature | OFTF | LFI | Ozone (to assist LFI) | LFI | Yes | LFI’s JWKS hosted in OFTF Only required if the LFI requires JWT Auth for Application Layer Authentication to CM and HH |
2. Encryption Keys & Certs
Item | Description | Issuer | Private Key Held By | CSR Generated by | Certificate Generated by | Action required by LFI | JWKS |
|---|---|---|---|---|---|---|---|
Enc1 | Used by the TPP to encrypt PII sent to the OFP that can only be read by the LFI The PII payloads are encrypted using the LFI’s public key in the JWKS The LFI decrypts them using their private key | OFTF | LFI | LFI | LFI | Yes | LFI’s JWKS identified by the Hosted in LFI’s JWKS on OFTF Ozone can provide scripts to generate the CSR if requested by the LFI
|
3. Creating certificates
Further information will be shared via the API Hub service desk, including CSRs. For more detailed information please see the example form Pre-Production Environment Specific Configuration
These steps are repeated for S1 S3 C4 Sig2 Sig3 - where the private keys is held by the API Hub
Ozoneto generate private keys for the certificatesOzoneto generate CSRs and hand over toLFILFIto generate certificates on OFTF Sandbox directoryLFIto provide JWKS URL and KID
These steps are repeated for C3 S4 Sig3 - where the private key is held by the LFI
LFIto generate private key for the certificateLFIto generate CSRLFIto generate the certificate from OFTF Sandbox directoryLFIto provide JWKS URL and KID
© Ozone Financial Technology Limited 2024-2025
Ozone Non Commercial Software EULA
Please try out our Advanced Search function.