SeaCat Certificate Authority is an Identity Management where identities are created for particular Application installations (Clients). In the process of a new Application installation, a new Client ID is created (Client identifies Application installation). SeaCat Certification Authority also represents a data store for Client Certificates. Technically, it is a whitelist of authorized Client Certificates granting access to SeaCat Gateway. Every Client that wants to communicate with SeaCat Gateway has to have valid and authorized Client Certificate. If the Client Certificate is not mentioned in the whitelist, access to SeaCat Gateway is refused, and the Client doesn't have the authorization to communicate with Application Backend. There is no need for commercial certificates.
Certificate Authority is managed via SeaCat CA Tool and is used for Client Certificate Signing Request signing to grant access to Clients to communicate with Application Backend via Client Connection. SeaCat Certificate Authority certificate is signed by TeskaLabs root Certificate Authority (ca.seacat.mobi; PEM format).
SeaCat Certificate Authority manages Client’ Certificates and offers automation of all procedures related to Client’ Certificates management. It includes the following processes: - First Clients request for Client Certificate (onboarding process) - Renewal of a valid Client Certificate - Renewal of an invalid Client Certificate with identical RSA private key
Each mentioned process could be configured for automatic or manual operation. All possible combinations are allowed. The purpose of the Application defines the level of automatization. Fully automatic level is best suited for B2C Applications, manual or semi-automatic for B2B or B2E Applications.
SeaCat supports two SeaCat Certificate Authority Scenario:
- Standard SeaCat Certificate Authority scenario
- Simplified SeaCat Certificate Authority scenario
Standard SeaCat Certificate Authority scenario
In standard Certificate Authority scenario, Certificate Authority is deployed on a dedicated appliance. Every SeaCat Gateway uses this Certificate Authority and the Certificate Authority is responsible for Client Certificate Signing Requests signing. Certificate Authority has different certificate than SeaCat Gateways. This scenario is optimal for large-scale deployments.
Pros for a standard SeaCat Certificate Authority scenario:
- Single point of SeaCat Certificate Authority installation with only one Client Signing Request signing point.
Cons for a standard SeaCat Certificate Authority scenario:
- In a case of small Application with only a few Clients, its Standard SeaCat Certificate Authority scenario is oversized.
Simplified SeaCat Certificate Authority scenario
In a simplified SeaCat Certificate Authority scenario, SeaCat Certificate Authority is deployed on the same appliance as SeaCat Gateway. Because SeaCat Gateway shares SeaCat Gateway Certificate with SeaCat Certificate Authority, every SeaCat Gateway has its own SeaCat Certificate Authority.
Pros for a simplified SeaCat Certificate Authority scenario:
- Simplified installation.
Cons for a simplified SeaCat Certificate Authority scenario:
- Advanced configuration is required in case multiple SeaCat Gateways are used.
Certificate Authority Chain validation role
Certificate Authority chain is a set of trusted certificates of Certification Authorities. It is used for Client Certificates validation by SeaCat CA Tool. To integrate subsidiary Certificate Authority, it is necessary to extend standard Certificate Authority chain by adding subsidiary Certificate Authority public certificate to Certificate Authority chain by copying it at the end of the file specified by
ca_chain variable inside seacat.conf
More information about SeaCat configuration is located in the SeaCat Configuration Reference chapter under [gateway] section.
An example of copied text:
-----BEGIN CERTIFICATE----- MIIGBzCCA++gAwIBAgIEAuQ0BDANBgkqhkiG9w0BAQwFADCBnjELMAkGA1UEBhMC Q1oxFzAVBgNVBAgMDkN6ZWNoIFJlcHVibGljMQ8wDQYDVQQHDAZQcmFndWUxFDAS IB7UbxOMrCG/fAedZZ93ImwxCenjDM+EMdXT8Atu+rwhdW4RdLG1b66kAqwVmnAs ... ... ... HUI8Eps13fpbl/ehac32PlJ+LLXwbk/R3E35H19lVVetWvE/0FxI325Vab5HwJmr To+c/nv6jKXzy6rYWvjAvx1AeepBie56TQSOHwTHbTykDDKSB7fbfJGpYBjBisYV sO8a5EyYbTKQlMbfNcJHltJukKpMcLwolV4rbpyP7bVNsMnKDALw3P1YDkIMSNhA dY8RsP6GWCAEGa8= -----END CERTIFICATE-----