/
Keys, Certificates & CSRs

Keys, Certificates & CSRs

Owned by Chris Michael
Last updated: 19 Dec 2024 by David Plews
3 min read

1. Transport Certificates

Cert Name

Description

Issuer

Private Key held by

CSR generated by

Certificate Generated by

Actions required by LFI

 

Cert Name

Description

Issuer

Private Key held by

CSR generated by

Certificate Generated by

Actions required by LFI

 

C1

Identifies the TPP to OFP

OFTF

TPP

TPP

TPP

None

 

S2

Identifies non mtls OFP endpoints to TPP

Lets Encrypt

Ozone

NA
(uses ACME protocol)

Ozone

None

 

S1

Identifies mtls OFP endpoints to TPP

OFTF

Ozone

Ozone

LFI

Yes

Ozone will provide a CSR and the LFI should use the OFTF to produce the certificate

 

C4

Identifies OFP to LFI’s Ozone Connect endpoint

OFTF

Ozone

Ozone

Ozone

None

 

S3

Identifies cm and hh endpoints to LFI

OFTF

Ozone

Ozone

LFI

Yes

Ozone will provide a CSR and the LFI should use the OFTF to produce the certificate

 

S4

Identifies LFI’s Ozone Connect endpoint to Ozone

OFTF

LFI

LFI

LFI

Yes

Scripts are available in the OFTF to assist with CSR generation if requested

 

The subject of the C3 certificate should be provided to Ozone.

Ozone will limit access to certificates issued by OFTF AND having that specific subject

C3

Identifies LFI to the cm and hh endpoints

OFTF

LFI

LFI

LFI

Yes

Item

Description

Issuer

Private Key Held By

CSR Generated by

Certificate Generated by

Action required by LFI

JWKS

Item

Description

Issuer

Private Key Held By

CSR Generated by

Certificate Generated by

Action required by LFI

JWKS

Sig1

Used by the TPP to sign requests sent to the OFP

(e.g. for signing the private-key-jwt, par request object etc)

OFP will use the public key in the OFTF JWKS to verify the signature

OFTF

TPP

TPP

TPP

None

TPP’s JWKS identified by the jwks_url for the client.

Hosted in OFTF

Sig2

Used by the OFP to sign responses sent to the TPP

This includes signed messages from the resource server and the signature on the id_token.

The TPP will use the public key in the JWKS to verify the signature

OFTF

Ozone

Ozone

LFI

Yes

LFI’s JWKS identified by the jwks_url in the OFP’s well-known endpoint.

Hosted in OFTF

Sig3

Used by the OFP to sign requests sent to the the LFI

OFP will use the public key in the JWKS to verify the signature

OFTF

Ozone

Ozone

Ozone

None

API Hub’s JWKS hosted in OFTF

Only required if one of these conditions is true:

  • The LFI requires JWT Auth for Application Layer Authentication to Ozone Connect

  • The LFI uses Client Credentials Grant for Application Layer Authentication to Ozone Connect and client authentication is set to private_key_jwt

Sig4

Used by the LFI to sign requests sent to OFP

LFI will use the public key in the JWKS to verify the signature

OFTF

LFI

Ozone (to assist LFI)

LFI

Yes

LFI’s JWKS hosted in OFTF

Only required if the LFI requires JWT Auth for Application Layer Authentication to CM and HH

2. Encryption Keys & Certs

Item

Description

Issuer

Private Key Held By

CSR Generated by

Certificate Generated by

Action required by LFI

JWKS

Item

Description

Issuer

Private Key Held By

CSR Generated by

Certificate Generated by

Action required by LFI

JWKS

Enc1

Used by the TPP to encrypt PII sent to the OFP that can only be read by the LFI

The PII payloads are encrypted using the LFI’s public key in the JWKS

The LFI decrypts them using their private key

OFTF

LFI

LFI

LFI

Yes

LFI’s JWKS identified by the jwks_url in the OFP’s well-known endpoint

Hosted in LFI’s JWKS on OFTF

Ozone can provide scripts to generate the CSR if requested by the LFI

 

 

3. Creating certificates

Further information will be shared via the API Hub service desk, including CSRs. For more detailed information please see the example form Pre-Production Environment Specific Configuration

These steps are repeated for S1 S3 Sig2 - where the private keys is held by the API Hub

  1. Ozone to generate private keys for the certificates

  2. Ozone to generate CSRs and hand over to LFI

  3. LFI to generate certificates on the OFTF directory*

  4. LFI to provide JWKS URL and KID

 

These steps are repeated for C3 S4 - where the private key is held by the LFI

  1. LFIto generate private key for the certificate

  2. LFI to generate CSR

  3. LFI to generate the certificate from the OFTF directory*

  4. LFIto provide JWKS URL and KID

 

These steps are repeated for Sig3 and C4-where the private keys is held by the API Hub

  1. Ozone to generate private keys for the certificates

  2. Ozone to generate CSRs

  3. Ozone to generate certificates on OFTF directory*

  4. Ozoneto provide JWKS URL and KID to the LFI

 

*The OFTF Sandbox is used for signing certificates for the pre-production environment and the OFTF Production is used for signing certificates for the Production environment.

© Ozone Financial Technology Limited 2024-2025
Ozone Non Commercial Software EULA