The link to the JWKS, the jwks_uri, can be found in the OpenID metadata (if published) and is part of the anonymous endpoint, e.g. The Curity Identity Server automatically publishes its public keys such as the token verification key in JWK format in a JSON Web Key Set (JWKS). When a certificate is close to expiring, request a new one and configure it in an automated fashion, preferably without interruptions. To prevent the user from logging in constantly when Access Tokens expire, Refresh Tokens are used to renew Access Tokens seamlessly. If anything goes wrong, then there is a limited time frame for attacks. ![]() ![]() Using a short expiration time for certificates is like a short lifetime for Access Tokens. The lifetime of individual certificates is much shorter. There should be enough time to act and update the trust stores. Changes to a CA infrastructure are, in general, announced in advance and performed carefully. Trusted certificates are normally root CA certificates that have a long expiration time. In this way, certificates and trust stores can easily be reused across the system. Each entry of a key, certificate, or store of trusted certificates is referenced by an ID. Trusted root certificates used for signature verification for a specific purpose (for example a signed software statement)Ĭertificates and public keys that the Curity Identity Server uses for creating encrypted messages addressed to certain Relying PartiesĬertificates and private keys used for decryptingĬertificates and keys have their own place in the configuration and are found under facilities/crypto. Server certificates of (external) HTTPS endpoints that the Curity Identity Server trustsĬertificates and private keys used for mutual TLS where the Curity Identity Server acts as the clientĬertificates presented by clients in Mutual TLS sessions that the Curity Identity Server trustsĬertificates and private keys used for signingĬertificates and public keys used to verify signatures of tokens issued by other systems Consequently, the Curity Identity Server handles the following list of certificates (and keys): Descriptive NameĬertificates and keys used to protect endpoints with HTTPS Furthermore, the configuration categorizes certificates based on the role of the Curity Identity Server, i.e., if it receives or sends a protected message. Certificates are also grouped by their function, i.e., if they are used to secure the transport layer via SSL/TLS or to sign and encrypt messages and tokens. In general, there are two types of certificates: those where the server only knows the public key stored in a truststore, and those where the server also possesses the private key stored in a keystore. Certificates in the Curity Identity ServerĬertificates are used for signing and encrypting, authentication, and establishing trust. To trust the metadata bound to a public key some need to trust the issuer of the certificate. This party is the issuer of the certificate, or the Certificate Authority (CA). It does so by putting its signature underneath (metaphorically speaking). ![]() One method to bind the public key to metadata is the certificate, where a third party assures that the metadata belongs to the key and is correct. Often, the public key is assigned some details, such as a name and owner, the corresponding algorithm and intended key usage or a life-time. Some of these formats store the private and public key and are password protected, others only contain the public key. There are various formats to represent and store keys such as PEM- or DER-encoded formats, PKCS#12, Java KeyStore or JSON Web Key. RSA public keys are not the same as ECDSA keys and not compatible in any way either. The key pair looks different based on the algorithm used, i.e. Because of the asymmetry, where one party has a private and the others a public key, public key algorithms are also classified as asymmetric algorithms (compared to symmetric algorithms where all parties share the same secret key). Public Key Cryptography is based on a key pair, where one part has a private key and a corresponding public key.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |