Public and private certificates generation for later use in Connect Service Bus
In order to achieve secure communication between source and destination MA, message content is encrypted using certificate. Source MA uses public X.509 certificate of destination MA to encrypt entire data content. Then destination MA, which holds private key, decrypts the message using its own private X.509 certificate.
SDK package contains a batch file which has commands to generate pair of certificates. It is based on OpenSSL as SSL/TLS toolkit which is embedded in SDK package. Execute generate-certificates.bat to create certificates.
You will be asked to enter information that will be incorporated into your certificate. There are few fields but you can leave some of them blank. Please take a look at following example:
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Otto-Fleck-Schneise 6
Organisation Name (eg, company) [Internet Widgits Pty Ltd]:Deutscher Fussball-Bund
Organisational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:info@dfb.deMoreover, you will be prompted to enter secure password for a private key and export password for PKCS#12 file. The file defines an archive format which is commonly used to bundle a private key with its X.509 certificate and can be imported later in other software using previously entered export password.
Following files will be created in openssl_output folder after running a batch file:
public_cert.pem: file with public certificate - should be uploaded to Connect Service Bus so senders can use it to encrypt messagesprivate_key.pem: file containing created private key - should be kept confidentialcertificate.pfx: password protected PKCS #12 file containing created private key and public certificate - should be kept confidentialPlease note that generated certificate will expire in 2 years (unless it's changed in generate-certificates.bat).
To encrypt a message, only public_cert.pem file will be used and it will be stored in central Connect Service Bus infrastructure. certificate.pfx file will be used locally by MA to decrypt received messages and it should be kept confidential together with private_key.pem.
To upload a certificate use console application located in certificate-upload-console folder dedicated for computers using Windows. Application supports parameters:
p: path to certificatec: client idk: secret keye: environment If any parameter is not provided application will ask for it. If console application can't be used, certificate can be uploaded using Connect Service Bus SDK. To see how, please refer to FIFA Connect Service Bus SDK documentation.