Creating Client certificate for mutual TLS authentication
inna last edited by
I have an application that is installed at customer premises. This sometimes has to communicates with their server(PACS server), and the details are configured in our application. I have to enable TLS for secure communication between these two entities.
Our application can be configured to communicate with multiple servers in customer premises. We ship our application to multiple customers.
The question I have is: Who will issue the client certificate?
Should I ask the customer to generate a client certificate so that this can be presented to their server for authentication? This means if i have mutiple servers configured, i'll have multiple client certificates.
Should I generate a self-signed certificate and provide them root certificate so that they can install it in their trusted root certificate store? This way I will have only one certificate to deal with which will be shipped to all customers. The same certificate will be presented to different servers in each customer premise.
Should I generate a client certificate and get it signed by 3rd party CA?
If I go for last 2 options, I feel that I may run into a problem with domain name configured in client certificate. We ship industrial PC (windows 10 and our application burned into a CD).
Can we create a single certificate and ship it to multiple customers, and use to it communicate with different servers? AFAIK, if the root certificate/CA certificate that is used to sign client certificate is in the server's trusted root certificate store, client should be validated.
What would be the best approach I can take?
As a standard process you should tell customer to generate client keys on their individual systems itself. Give them the process to generate keys, CSR (Certificate signing request). You can (Or provide customer process) sign the CSR from root/sub-ca (Third Party or Your Own CA) and install the signed certificate on machines.
The point is that the private keys should not travel outside the system if possible. Although there are ways to securely transfer the keys, but I personally do not recommend it.
It is recommended to use Third Party CA so that you do not have to go through all the procedure to protect the CA keys.
You can use single certificates for all the machines but in this case if one machine is compromised it will have effect on all the machines.
If system has some build in mechanism like TPM you can generate keys via TPM and store the keys in it.