0

We have developed a web application that generates an xml file. To deploy the application to production, we have purchased an SSL certificate through DigiCert, so that it runs under HTTPS protocol, however, one of the requirements are to send the xml file with a signature to be verified by the receiver (client), that it is in fact a genuine xml document sent from our service.

Do we need to get a document/code signing certificate too to achieve this, or is the SSL certificate we have purchased sufficient and to just follow this Microsoft tutorial:

https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-encrypt-xml-elements-with-x-509-certificates

Donald N. Mafa
  • 5,131
  • 10
  • 39
  • 56
  • Is this a technical or a legal question? It depends on what your client wants or needs. Technically your SSL cert is fine. – bommelding Dec 07 '18 at 09:49
  • @bommelding The cert is ok, but the code he linked does not sign, but encrypt. https://stackoverflow.com/questions/32619852/code-signing-vs-encryption – Cleptus Dec 07 '18 at 09:50
  • See my solution : https://stackoverflow.com/questions/46722997/saml-assertion-in-a-xml-using-c-sharp/46724392 – jdweng Dec 07 '18 at 09:56

1 Answers1

1

The X509 XML signing code can work with any X509 certificate. From the coding perspective you can use the one you already have unless your client demands you to use a cert generated from a specific CA.

The code you linked does encrypt an XML, but you stated you did need to sign it. They are different things.

Encrypting does make it unreadable to anyone that does not have the private key.

Signing does a signature of the content and adds it at the end of it, so anyone can check the content was not altered.

Cleptus
  • 3,446
  • 4
  • 28
  • 34