Mutual TLS Certificates

Create a Mutual TLS Certificates

Mutual TLS (mTLS) certificates provide an enhanced layer of security by requiring the client to present a valid certificate verified by the Provider Connectivity Assurance system. This guide outlines the process for generating, signing, and validating certificates used for secure RESTCONF API authentication.

Step 1: Generate Client Key and CSR

First, generate a private key and Certificate Signing Request (CSR) locally on your machine:

# Generate key and CSR for a user (e.g., "nso-user")
        openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr \
        -subj "/CN=nso-user"

Step 2: Sign the CSR via Provider Connectivity Assurance Mutual Distribution API

Use your Bearer or PAT token to sign the CSR.
Note: This process utilizes the Distribution API endpoint, not the standard RESTCONF interface.

# Sign the CSR - NOTE: This is the distribution API endpoint, not RESTCONF!
        curl -sk -X POST "https://<PCA_IP>/distribution/sign-csr?certduration=2160&format=pem&requestedUsername=nso-user&assignedRoles=tenant-admin,tenant-contributor,ug_all_data_access" \
        -H "Authorization: Bearer <TOKEN>" \
        -H "Content-Type: application/octet-stream" \
        --data-binary @client.csr \
        -o client.pem

Parameters:

Step 3: Verify the Certificate

Ensure the certificate was generated correctly by checking the details:

# Check certificate details
        openssl x509 -in client.pem -noout -subject -issuer -dates

Step 4: Validate mTLS Certificate with Provider Connectivity Assurance

Before using the certificate for RESTCONF, validate that it is recognized by the Provider Connectivity Assurance authentication system:

# Validate mTLS certificate
        curl -sk --cert client.pem --key client.key \
        "https://<PCA_IP>/api/v1/auth/cert/validate/authorization"

Expected response: A success message indicating the certificate is valid and authorized.