0

To access an API developed by a co-worker, he needed to whitelist my IP address and give me a certificate, which came in with the .pfx extension. I can access the API front-end just fine, but I cannot make it work for another co-worker using the same certificate.

My understanding to all this is very limited, hope I could make myself clear.

Lucas Farias
  • 101
  • 1
  • If the client certificate just contains a private key and certificate signed by corporate CA, anyone who has the file can use it. If you have a file with a signed certificate but without the matching private key, you can't use it to authenticate as the user. It is possible to create a client certificate that uses a private key that is bound to some hardware, a smartcard, U2F token or TPM or whatever, possibly embedded in the laptop and possibly removable. Then the certificate file requires the hardware and some software to use the hardware to perform the signature at time of authentication. – Z.T. May 25 '20 at 16:21
  • 2
    Given that co-worker A told you they needed to whitelist your IP *in addition* to giving you the key, shouldn't it reasonably assumed that the whitelist is failing for co-worker B even though they have the keys? What's the question here? – Allison May 25 '20 at 18:48
  • @Sirens thing is co-worker B is already whitelisted. Still getting the 400 error tho. – Lucas Farias May 28 '20 at 11:10

0 Answers0