3

I am in a situation where my software is calling a third party web service (SOAP) and using WS-Security for client authentication using a client certificate and digital signing of the message contents. The vendor requires that the certificate I send them has a trust chain that originates from a trusted authority (Verisign, Thawte, etc) - They will not allow me to self-sign.

When you go to sites who sell certificates, most only have 3 options:

  • SSL Certificates
  • "Code Signing" Certificates
  • "Document Signing" Certificates

"Document signing" seems like the closest to what I need, but much of the literature on the sites talks about how they can be used to sign Word and PDF documents for an extra layer of security for actually having a human "sign" for a document.

Is there any way to buy a certificate specifically for automated binary payload/message signing that will work with WS-Security and is not rate-limited? (e.g. some sites require timestamping and 'phoning home' to be able to track how many documents you have signed)

This is seems like it would be a common request for B2B scenarios but there is very little out there in terms of documentation.

Mike Marshall
  • 98
  • 2
  • 10

1 Answers1

1

Start with a Client authentication certificate which probably is good enough. You have two options:

1) Buy an email certificate. These are also client certificates and allow signing and are cheap.

2) Get a free server certificate from Letsencrypt. These come with the extensions below that might be good enough for your use case:

    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 Basic Constraints: critical

The only challenge for these is that you need to own a valid domain to request them. The good news is that the ceritificate is for free

Jofre
  • 529
  • 1
  • 4
  • 11