Certificates are used to establish „trust“ between two parties. Certificates always consist of a public part and a private one. Usually the certificate issuer keeps the private portion secret and publishes in some form the public part.
Certificates always have a lifetime (also called expiry date). Sometimes it is long (multiple years) but the trend is to have shorter expiry (months). Only the owner of the private part can renew a certificate. Hence it is this parties‘ responsibility to renew a certificate
We have use cases where Pricefx owns the private part (e.g. SSL certificates for web services we expose) as well as where we only use/import a public part from someone else (e.g. SAML SSO).
Type of Certificate | Area | Purpose | Owner / Process | Resources |
---|---|---|---|---|
TLS/SSL certificates (Pricefx exposes a web service or page) | Access to Pricefx operated web services. Anything under the domains http://pricefx.com and http://pricefx.eu. | To secure the communication connection. These certificates are all signed and trusted by a commonly acknowledged Certificate Authority (CA). I.e. even after a certificate changes, any client should trust the new certificate by a shared CA trust. Browsers do this by default. Mileage varies for other clients (in particular in integration space). | These certificates are maintained by Pricefx. | https://api.pricefx.com/rest-api/authentication/ Pricefx only: https://pricefx.atlassian.net/wiki/spaces/EN/pages/3673391182/JWT+authentication+with+external+JWT+token+to+pricefx+partition |
TLS/SSL certificates (Pricefx as client) | Access to outside web services (customer or public). | To secure the communication connection. Just like above, but reverse. Pricefx (should) trust all commonly used CA signed certificates. However, if e.g. the customer uses self-signed certificates, they (their public part) need to be imported client-side to be trusted. | The owner of the certificate needs to renew and distribute the updated public parts before the expiry date. | |
Single sign-on (SAML Certificate) | User login to Pricefx applications | Enables single sign-on to Pricefx applications. Certificates are used to verify the SAML signature. Pricefx uses here the public certificate part from the Identity Provider. | Customer IT department issues this certificate and distributes it manually to Pricefx for installation or publishes it in the federationmetadata.xml manifest (which needs to be set as trust anchor in Pricefx). |
This explanation can be downloaded as a PowerPoint presentation here.