TLS Server Certificate Support
-
No Certificate: In this use case, the PSP wishes to use TLS, but does not provide a certificate (.cer file) to the client. The communication is secure, but the client has no way to validate the server private key.
-
Certificates: Certificates are used to validate that the Server Public Key, which is presented to the client, is all right to use.
-
PSPs can use certificates from a known Certificate Authority, in which case the client can use the local pre-installed certificate to validate the Server Certificate.
-
PSPs can also use a self-signed certificate.
-
The PSP provides a .cer file so the client has the ability to validate the x509 certificate presented by the server.
-
TLS Client Certificate Support
Client Certificates can be used in a similar fashion to Server Certificates to validate that the client is a trusted client.
Certificate Handling by PSPs is outside the scope of our configuration and code.
Client Certificate Files are typically .pfx files and contain both private and public keys, along with a password to access the file. This .pfx file is sensitive and should be handled carefully.