Overview


To be able to access Freja eID service points you need to obtain a client SSL/TLS certificate. A client certificate authenticates your application when it tries to communicate with Freja eID services. Additionally, Freja eID uses your Client certificate to identify you in its system when you try to send an authentication or signing request. Separate certificates are needed to access the Testing Environment and the Production Environment.


The following section provides you with instructions on how to generate an SSL/TLS key and a certificate signing request (CSR), which you can then send to Freja eID partner support to provide you with a client certificate. It also documents how to create a PKCS#12 file.


Note: In the examples below we used OpenSSL, an open-source cryptography and SSL/TLS toolkit. For more information about OpenSSL, please refer to their official website. You are, of course, free to use any other key management and CSR generator of your choice.


What is an SSL/TLS key and what is it used for?


The SSL/TLS key is a part of the Public Key Infrastructure (PKI) that is generally used in case of SSL/TLS certificates. A Public Key Infrastructure assumes asymmetric encryption, where two types of keys are used: a Private Key and a Public Key (included in an SSL/TLS certificate). The private key is based on the RSA algorithm and is used for authentication and the establishment of an SSL/TLS session. Since encrypted data transmission takes too much time in case of asymmetric encryption, this kind of encryption is only used for a secure exchange of the symmetric key, which is used for actual transmitted data encryption and decryption. 


What is a certificate signing request (CSR)? 


A certificate signing request (also CSR or certification request) is a block of encoded text that is given to a certificate authority (CA) when applying for an SSL/TLS certificate. It is usually generated on the server where the certificate will be installed on and contains information that will be included in the certificate, such as the organisation name, common name (domain name), locality and country. It also contains the public key that will be included in the certificate. The private key is usually created at the same time as the CSR, thus making a key pair. 


A CSR is generally encoded using ASN.1, according to the PKCS #10 specification. Distinguished names SSL/TLS certificates contain identifying information, such as the qualified domain name used for DNS lookups of your server (also called Common Name), your organisation or company name and location information. This information is packaged in an information structured called Distinguished Name (DN) and is called the Subject DN. A similar structure represents information about the issuer, in that case known as Issuer DN. 


When generating a CSR on your server for the purposes of connecting to Freja eID, you are asked to enter the Subject DN, which uniquely identifies your application and/or organisation.


Note: Any strings part of the Subject DN in the CSR must be encoded as ASN.1 UTF8String in order to be correctly processed by the Freja eID CA


Below is an example list of required fields and their respective values for the Subject DN used when generating a CSR request for a Freja eID Relying Party named "ACME AB".

 

Subject DN field
Name
Explanation
Example
CNCommon Name(Optional) Function qualifier, if required.Document signing service
OUOrganisational Unit(Optional) Internal organisational qualifier, if required.Production
OOrganisation NameLegal name of the organisation, as registered with the company register of the country it operates in.ACME AB

OID (2.5.4.97)

Organisation identifierOrganisational number, as registered with the company register of the country it operates in.556677-8888
CCountryThe two-letter ISO abbreviation of the country the company operates in.SE


Generating a CSR - step by step guide


1. Launch Open SSL (preferably on the production server) and generate your private key with the genrsa command (see below). Command arguments are the location and file name where you wish to store your key and the key strength (with the minimum value of 2048 bits). You will also be prompted to choose a secure passphrase for the key.


openssl genrsa -F4 -aes256 -out <PATH_TO_YOUR_PRIVATE_KEY>.key 2048


Security recommendation: As the security relies on the integrity and security of this private key, it is the best practice to generate the key on the production system itself and also to make sure that this key is protected duly against unauthorised attacks by limiting access to the key file itself. Once the PKCS#12 file has been generated, the key file can be removed or stored securely offline for backup purposes.


2. You need to create an openssl config file named freja_openssl.conf. Depending on the version of openssl that you are using, you should create the file with the following content (make sure that the CN, OU, O, OID and C values reflect your organisation):


    2.1 Version of openssl 1.1.1f and later:


[ req ] 

default_bits = 2048 
prompt = no 
encrypt_key = no
default_md = sha256
distinguished_name = dn 

[ dn ]
CN = Document signing service
OU = Production
O = ACME AB 
C = SE 
organizationIdentifier = XXYYZZ-AABB

    

    2.2 Version of openssl earlier than 1.1.1f


oid_section = OIDs

[ req ] 

default_bits = 2048 
prompt = no 
encrypt_key = no
default_md = sha2
distinguished_name = dn
 
[ OIDs ]

organizationIdentifier = 2.5.4.97 
 
[ dn ] 
CN = Document signing service
OU = Production
O = ACME AB 
C = SE 
organizationIdentifier = XXYYZZ-AABB


Important note! Please make sure you are using the correct configuration based on your openssl version, as using the wrong one will result in an error.

3. Next, generate the CSR using the key generated in step 1 with the following command and put it in a file.


openssl req -new -key <PATH_TO_YOUR_PRIVATE_KEY>.key -out <PATH_TO_CSR>.csr -config freja_openssl.conf


4. Compress the file with ZIP/gZIP and email it to [email protected]. After the certificate is issued by Freja eID Support, you will receive a ZIP file with your new certificate, along with required Freja eID CA certificates. The content of the ZIP file will be the following:


Filename
Description
Subject DNIssuer DN
Freja eID Production Root.cerFreja eID's offline root certificate

CN = Freja eID Root CA v1

OU = Production

O = Verisec Freja eID AB

2.5.4.97 = 559110-4806

C = SE


Same as Subject DN
Freja eID Production Issuing CA.cerFreja eID's Issuing Certificate Authority

CN = Freja eID Issuing CA v1

OU = Production

O = Verisec Freja eID AB

2.5.4.97 = 559110-4806

C = SE


CN = Freja eID Root CA v1

OU = Production

O = Verisec Freja eID AB

2.5.4.97 = 559110-4806

C = SE


Freja eID Production Certificates.pemFreja eID certificate chain. Contains booth root and CA certificates

<YOUR CERTIFICATE>.cerYour relying party issued certificate

CN = Document signing service

OU = Production

O = ACME AB

2.5.4.97 = 556677-8888

C = SE


CN = Freja eID Issuing CA v1

OU = Production

O = Verisec Freja eID AB

2.5.4.97 = 559110-4806

C = SE



5. Generate the PKCS#12 keystore file with the following command and choose a secure passphrase:


openssl pkcs12 -aes256 -CAfile "Freja eID Production Certificates.pem" -export -in <YOUR CERTIFICATE>.cer -inkey <YOUR_PRIVATE_KEY>.key -out <YOUR_KEYSTORE>.pfx


Security recommendation: As the security relies on the integrity and security of this keystore, create it on the production system and protect it the production system itself and also make sure that this key is duly protected against unauthorised attacks by limiting access to the keystore file itself.


6. Finally, verify connectivity against production Freja eID services with the following command:


openssl s_client -verify_return_error -CAfile "Freja eID Production Certificates.pem" -cert <YOUR CERTIFICATE>.cer -key <YOUR_PRIVATE_KEY>.key -connect services.prod.frejaeid.com:443