0

We need to communicate between our ec2 server and our customer server via Mutual TLS. The requests are sent from our server to our customer server - so we are the client here.

I read this post, talking about how to generate the files.

The first step is to create a certificate authority (CA) that both the client and server trust. The CA is just a public and private key with the public key wrapped up in a self-signed X.509 certificate.

Our cert and their cert - should be signed from the same root CA? who should provide it?

The code in my side should be like:

const req = https.request(
  {
    hostname: 'myserver.internal.net',
    port: 443,
    path: '/',
    method: 'GET',
    cert: fs.readFileSync('client.crt'),
    key: fs.readFileSync('client.key'),
    ca: fs.readFileSync('ca.crt')
  },
  res => {
    res.on('data', function(data) {
      // do something with response
    });
  }
);

So what should we provide each other? We don't exactly understand and they are not providing more details, just asked us to give them a certificate...

user2503775
  • 4,267
  • 1
  • 23
  • 41

1 Answers1

1

Our cert and their cert - should be signed from the same root CA? who should provide it?

Since the control of the client certificate is done at the TLS server side (i.e. at the customer) it depends fully on what they expect. They might require a publicly signed certificate, they might require a certificate signed by their own CA. Or they might simply check that a specific certificate gets used and will also accept self-signed certificates for this.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • and what they should provide us? the ca.crt from the example code above? – user2503775 Jan 27 '21 at 19:24
  • Again - this __fully__ depends on what they expect. It might be that they expect a certificate request from you which they sign be their own CA and give you back as certificate. It might be that they simply expect a self-signed certificate from you. Or whatever - ask them or look at any documentation they might have provided. If they just ask for a certificate [create a self-signed certificate](https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl) and give them the certificate but not the key. If they want something different they likely tell you. – Steffen Ullrich Jan 27 '21 at 19:31
  • Thank you! our cloud is AWS and they have a certificate manager, but they are not giving to export it. – user2503775 Jan 27 '21 at 19:43
  • They asked to buy a new cert, and give them the key. Not self-sign. We buy a client certificate and not server certificate, right? Which CA do you recommend ? – user2503775 Feb 01 '21 at 19:46
  • @user2503775: I don't recommend any CA. Again, it is fully up to them which CA they even accept. It might also be that they have specific requirements on the subject. – Steffen Ullrich Feb 01 '21 at 20:31