I am in a situation where my software is calling a third party web service (SOAP) and using WS-Security for client authentication using a client certificate and digital signing of the message contents. The vendor requires that the certificate I send them has a trust chain that originates from a trusted authority (Verisign, Thawte, etc) – They will not allow me to self-sign.
When you go to sites who sell certificates, most only have 3 options:
- SSL Certificates
- "Code Signing" Certificates
- "Document Signing" Certificates
"Document signing" seems like the closest to what I need, but much of the literature on the sites talks about how they can be used to sign Word and PDF documents for an extra layer of security for actually having a human "sign" for a document.
Is there any way to buy a certificate specifically for automated binary payload/message signing that will work with WS-Security and is not rate-limited? (e.g. some sites require timestamping and 'phoning home' to be able to track how many documents you have signed)
This is seems like it would be a common request for B2B scenarios but there is very little out there in terms of documentation.
Best Answer
Start with a Client authentication certificate which probably is good enough. You have two options:
1) Buy an email certificate. These are also client certificates and allow signing and are cheap.
2) Get a free server certificate from Letsencrypt. These come with the extensions below that might be good enough for your use case:
The only challenge for these is that you need to own a valid domain to request them. The good news is that the ceritificate is for free