Appearance
Mutual Transport Layer Security (mTLS) New
The Mutual Transport Layer Security (mTLS) protocol guarantees mutual authentication and encrypted communication, preventing interception or identity theft between systems.
Configuration – Mutual Transport Layer Security (mTLS) availability
If you've been working with Treezor prior to the mTLS authentication availability, you will have to migrate to the new services.
Introduction
Mutual TLS ensures that the parties of each end of the network connection are who they claim to be by verifying they both have the correct private key.
This protocol relies on the exchange of Transport Layer Security (TLS) certificates. TLS certificates contain the necessary information for verifying the server or device identity, such as the public key, a statement of who issued the certificate, and the expiration date.
Setting up your certificates
To use mTLS, you need to send 2 Certificate Signing Requests (CSR) to Treezor. It will allow you to set up, with your private key, the TLS negotiation.
In return, Treezor provides the signed certificates for you to configure your client and authenticate your requests.
You need to provide a different set of certificates for each of your Treezor environments (Sandbox and Production). If you're using PCI DSS services, you'll need yet another set of CSR files (see PCI DSS integration).
1. Create your RSA keys sensitive data
You need a private key to create your certificate signing request (CSR). This key must have the following attributes:
- Type: RSA
- Format: PKCS1
- Size: 2048
Configuration – Use a different RSA key for each CSR
Your mTLS certificate and your signature certificate for signing PCI DSS requests must have different private keys.
Here is the command to run for your Sandbox, please keep in mind you'll have to do the same for your Production environment.
openssl genrsa -out <your.company.name>_privatekey_mtls.pem 2048
Security – Protect your private key
Don’t share your private key with anyone and make sure they are securely stored (e.g., secure vault, key management system).
2. Create your CSR files
The Certificate Signing Request (CSR) is the request you send to a Certificate Authority (or CA, in this case, Treezor) to apply for a digital identity certificate. The CSR includes the public key and additional information such as the entity requesting the certificate common name (CN).
Here is the command to run:
openssl req -new -key <your.company.name>_privatekey_mtls.pem -out <your.company.name>_csr_mtls.pemThen use the information in the table below to complete the CSR information.
| Information | Description |
|---|---|
| Country | The two-letter country code representing the country where the organization is located. |
| State / Province | The state or province where the organization is located (e.g., Brittany, IdF). |
| Locality | The locality or city where the organization is located. |
| Organization Name | The legal name of the organization to which the entity belongs. This could be the company, department, or other organizational unit. |
| Organizational Unit | (optional) The specific unit within the organization. For example, “IT Department” or “Marketing”. |
| Common Name | Usually, the fully qualified domain name (FQDN) for which the certificate is being requested. For example, if the certificate is for a website, the CN might be the domain name (e.g., https://yourcompany.com). |
| The email address of the organization. |
3. Ask Treezor to generate your certificates
CSR files and certificates aren't considered sensitive data. This is why you can exchange them by email.
- Send your CSR files to your Treezor Technical Account Manager.
- Treezor will send you back the signed certificates.
Security – Don't send your private keys, only the CSR files
If you were to send us your private key, you'll have to generate new ones and start the process from scratch.
Renewing your certificates
Your certificates have a given validity period. You need to contact Treezor about a month before their expiration date to set up new ones.
Here is the command to run to check the start and end dates of a certificate:
openssl x509 -startdate -enddate -noout -in <your.company.name>_csr_<certificate.type>.pemOutputs the following:
notBefore=Jan 22 12:25:04 2024 GMT
notAfter=Jan 22 13:25:04 2025 GMTRevoking your certificates
If you suspect your private key has been compromised, you must contact Treezor immediately to revoke your certificate. You can then go through the process described in this article to set up new certificates.