5.3 Certificate Authentication

Client identification via PQ certificates.

The developer certificate is issued by the internal CA.

# Request certificate
openssl req -new -newkey ml-dsa-65 -keyout dev.key -out dev.csr
 
# Send CSR to CA
# After approval: receive dev.crt

# API call with client certificate
curl --cert dev.crt --key dev.key \
     https://gateway.intern:443/api/v1/dsn/demo/tables

var handler = new HttpClientHandler();
handler.ClientCertificates.Add(
    new X509Certificate2("dev.pfx", "password"));
 
var client = new HttpClient(handler);
var response = await client.GetAsync("https://gateway.intern/api/v1/dsn/demo/tables");

The server checks:

1. Is the certificate valid (not expired)?
2. Was it signed by our CA?
3. Is it not revoked (CRL/OCSP)?
4. Does it have the required extensions?

For programmatic creation and management of PQ certificates see the WvdS.System.Security.Cryptography library:

• Developer Examples (CSR, PKI)
• X509Certificates API
• CertificateRequest Extensions