Certificate Conditions
A certificate for the OAuth 2.0 client credentials flow must contain two parts:.
-
Public key (as a part of the certificate) – an Administrator or a user with the OAuth 2.0 Authorized Applications Management permission uploads the public part of the certificate as part of the client credentials flow mapping process.
-
Private key – The private key provides the signature of the JWT token in the POST request to the token endpoint. For more information, see POST Request to the Token Endpoint and the Access Token Response
The certificate must meet the following requirements:
-
The public key must be in x.509 format with a file extension of .cer, .pem, or .crt.
-
The length of the RSA key must be 3072 bits, or 4096 bits. The length of EC key must 256 bits, 384 bits, or 521 bits.
-
The maximum certificate validity is two years. If the certificate is valid for a longer time period, the system automatically shortens the validity to two years.
Note:The system sends an email notification about expiring certificates to Administrators. The first notification is sent two months before expiration, then one month, and 14 days. If more certificates expire in one day, the system sends only one notification for all of the certificates.
-
One certificate can only be used for one combination of integration record, role, and entity. If you want to use the same integration record for multiple entities or roles, you must use a different certificate for each unique combination.
The following examples show how to create a valid certificate using OpenSSL:
ES256
openssl req -new -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -nodes -days 365 -out public.pem -keyout private.pem
ES512
openssl req -new -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp521r1 -pkeyopt ec_param_enc:named_curve -nodes -days 365 -out public.pem -keyout private.pem
RSA – PSS
When you change the scheme to RSA – PSS, you must also change the algorithm used for singing to PS256.
The -days parameter is optional.
openssl req -new -x509 -newkey rsa:4096 -keyout private.pem -sigopt rsa_padding_mode:pss -sha256 -sigopt rsa_pss_saltlen:64 -out public.pem -nodes -days 365
Treat the certificate as you would any other credentials. Never share the certificate with unauthorized individuals, or outside your company.