Skip to content

Certificates

Danger

Important information about the sedex participant certificates

  • The private key assigned to a sedex participant certificate is only contained in the PKCS#12 keystore file (p12) of the sedex client configuration and must be kept secret.

  • It is prohibited to extract the keystore files (p12) or the private keys contained therein from the sedex client configuration and to use them outside the sedex client. The keystore file (p12) may only be kept outside the sedex client for file backup purposes.

  • The sedex platform can replace the participant certificates with new ones and revoke the old ones at any time. Therefore, the backup process should automatically include new keystore files (p12) and the file sedex-certificate-configuration.xml in the file backup.

The participant certificates and the sedex server trust stores are configured using a separate certificate configuration file:

<sedex_home>/conf/sedex-certificate-configuration.xml

Note: The sedex Client normally automatically ensures that the values in this configuration file are set correctly. Manually changing the configuration is not recommended and not necessary.

Below is the structure of the certificate configuration file:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <certificateConfiguration
    xmlns="http://www.sedex.ch/xmlns/certificateConfiguration/1/0">
    <privateCertificate>
    <location>** path to private certificate of participant **</location>
    <password>** password to private certificate **</password>
    </privateCertificate>
    <transportCertificate>
    <location>
    ${sedex.home}/conf/certificates/sedex-transport-encryption.cer
    </location>
    </transportCertificate>
    <webserviceTruststore>
    <location>
    ${sedex.home}/conf/certificates/sedex-server-truststore.jks
    </location>
    <password>trustme</password>
    <truststoretype>JKS</truststoretype>
    </webserviceTruststore>
    </certificateConfiguration>

The field “location” must point to the valid key store file (p12 format) containing the private key of the participant. The field “password” must contain the appropriate password to the key store file.

Note: Normally a participant has configured only one valid key store with the private certificate at a certain time. However, several key store entries can exist. During an automatic certificate renewal, a new certificate entry is added and the former entry is marked as renewed. Renewed certificate entries will be deleted after a period of 60 days.

The following snippet shows a certificate configuration with multiple entries:

    [...]
    <privateCertificate>
    <location>** path to key store 1 **</location>
    <password>** password to key store 1 **</password>
    </privateCertificate>
    <privateCertificate>
    <location>** path to disabled key store 2 **</location>
    <password>** password to disabled key store 2 **</password>
    <renewed>2019-12-04+01:00</renewed>
    </privateCertificate>
    [...]

Initial certificate requests

Clients without an existing participant certificate can request a new participant certificate which will be automatically created and installed. In this case an entry <privateCertificate> is missing, but instead an entry <initialCertificateRequest> with the certificate request is included:

    [...]
    <initialCertificateRequest>
    <requestId>SETUP_REQUEST_ID(CRID)</requestId>
    <oneTimePassword>SETUP_ONE_TIME_PASSWORD(OTP)</oneTimePassword>
    </initialCertificateRequest>
    [...]

Note: The required input elements (CRID, OTP) have to be requested from your responsible sedex domain administrator or from FSO’s sedex Customer Support and will be sent to you using two separate communication channels.

Specific additional elements

Depending on the life cycle of a certificate, the sedex Client can decorate certificate configuration entries with additional elements.

<restriction>

Set and used by the automatic certificate renewal process.

    [...]
    <privateCertificate>
    <location>( path to key store )</location>
    <password>( password to key store )</password>
    <restriction>READONLY<restriction>
    </privateCertificate>
    [...]

Possible restriction values are:

Restriction Type Impact
READONLY This certificate cannot be used for sending messages, only for receiving
DISABLED This certificate cannot be used at all

<optionalInfo>

Used for documentation purposes with additional information about the certificate.

    <privateCertificate>
    <location>(path to key store)</location>
    <password>(password to key store)</password>
    <optionalInfo>
    <issuer>CN=vAdminCA-CD-T01,OU=Certification[...]</issuer>
    <serial>4545</serial>
    <expirydate>2012-06-19T13:34:50.000+02:00</expirydate>
    </optionalInfo>
    </privateCertificate>