====== 5.3 Certificate Authentication ======

Client identification via PQ certificates.

===== Main Certificate =====

The developer certificate is issued by the internal CA.

<code bash>
# Request certificate
openssl req -new -newkey ml-dsa-65 -keyout dev.key -out dev.csr

# Send CSR to CA
# After approval: receive dev.crt
</code>

===== Use Certificate =====

<code bash>
# API call with client certificate
curl --cert dev.crt --key dev.key \
     https://gateway.intern:443/api/v1/dsn/demo/tables
</code>

===== In Applications =====

<code csharp>
var handler = new HttpClientHandler();
handler.ClientCertificates.Add(
    new X509Certificate2("dev.pfx", "password"));

var client = new HttpClient(handler);
var response = await client.GetAsync("https://gateway.intern/api/v1/dsn/demo/tables");
</code>

===== Certificate Validation =====

The server checks:

  - Is the certificate valid (not expired)?
  - Was it signed by our CA?
  - Is it not revoked (CRL/OCSP)?
  - Does it have the required extensions?

===== PQ-Crypto Library =====

For programmatic creation and management of PQ certificates see the **WvdS.System.Security.Cryptography** library:

  * [[..:..:..:..:..:pqcrypt:developer:beispiele:start|Developer Examples (CSR, PKI)]]
  * [[..:..:..:..:..:pqcrypt:api:wvds-system-security-cryptography:x509certificates:start|X509Certificates API]]
  * [[..:..:..:..:..:pqcrypt:api:wvds-system-security-cryptography:x509certificates:certificaterequestextensions|CertificateRequest Extensions]]