Certificate Management

🔒 Automated Certificate Setup

One-Command Certificate Generation

# Generate all certificates automatically
make generate-docker-certs

What this creates:

• ✅ Certificate Authority (CA) - Your own trusted root
• ✅ Server certificates - For HTTPS endpoints
• ✅ Client certificates - For API authentication
• ✅ Database certificates - For encrypted connections

Certificate Structure

📁 Certificate Directory

certs/
├── ca/                    # Certificate Authority
│   ├── ca.crt            # Root CA certificate
│   └── ca.key            # Root CA private key
├── server/               # Server certificates
│   ├── server.crt        # Server certificate
│   └── server.key        # Server private key
├── client/               # Client certificates
│   ├── client.crt        # Client certificate
│   └── client.key        # Client private key
├── postgres/             # Database SSL
│   ├── server.crt        # PostgreSQL certificate
│   └── server.key        # PostgreSQL private key
└── redis/                # Cache TLS
    ├── server.crt        # Redis certificate
    └── server.key        # Redis private key

How Certificates Work

🔐 Security Flow

1. Client → Presents client certificate
2. Server → Validates against CA
3. Server → Presents server certificate
4. Client → Validates against CA
5. Secure → Encrypted communication established

🏦 Bank-Grade Security

• TLS 1.3+ - Latest encryption standards
• Mutual TLS (mTLS) - Both sides authenticate
• 2048-bit RSA - Strong encryption keys
• SHA-256 - Secure hashing algorithm

Using Certificates

🌐 API Requests with Certificates

# Make authenticated API request
curl -X POST https://localhost:8443/api/v1/verify \
  --cert certs/client/client.crt \
  --key certs/client/client.key \
  -H "Content-Type: application/json" \
  -d '{
    "iban": "DE89370400440532013000",
    "name": "John Smith"
  }'

💻 JavaScript Integration

// Node.js with certificates
const fs = require('fs');
const https = require('https');

const options = {
  cert: fs.readFileSync('certs/client/client.crt'),
  key: fs.readFileSync('certs/client/client.key'),
  ca: fs.readFileSync('certs/ca/ca.crt')
};

const agent = new https.Agent(options);

// Use with fetch or axios
const response = await fetch('https://localhost:8443/api/v1/verify', {
  method: 'POST',
  agent: agent,
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ iban, name })
});

🐍 Python Integration

import requests

# Use certificates with requests
response = requests.post(
    'https://localhost:8443/api/v1/verify',
    cert=('certs/client/client.crt', 'certs/client/client.key'),
    verify='certs/ca/ca.crt',
    json={'iban': 'DE89370400440532013000', 'name': 'John Smith'}
)

Certificate Validation

✅ Check Certificate Details

# View certificate information
openssl x509 -in certs/server/server.crt -text -noout

# Check certificate expiration
openssl x509 -in certs/server/server.crt -noout -dates

# Verify certificate chain
openssl verify -CAfile certs/ca/ca.crt certs/server/server.crt

🔍 Certificate Information

# Expected output for server certificate:
Subject: CN=localhost, O=VoP Service, C=DE
Issuer: CN=VoP Service CA, O=VoP Service, C=DE
Validity: Not Before: 2024-01-01, Not After: 2026-01-01
Subject Alternative Name: DNS:localhost, IP:127.0.0.1

Certificate Renewal

🔄 Automatic Renewal

# Regenerate expiring certificates
make generate-docker-certs

# Restart services with new certificates
make restart-ecp

⏰ Certificate Expiration Monitoring

# Check when certificates expire
make check-cert-expiry

# Expected output:
# CA Certificate: 3650 days remaining
# Server Certificate: 730 days remaining
# Client Certificate: 730 days remaining

📅 Renewal Schedule

• Development: Certificates valid for 2 years
• Production: Recommend 90-day rotation
• CA Certificate: Valid for 10 years

Production Certificate Management

🏭 Production Setup

# Generate production certificates with custom domain
make generate-production-certs DOMAIN=your-domain.com

# This creates certificates for:
# - your-domain.com
# - api.your-domain.com
# - *.your-domain.com

🔐 Security Best Practices

# Set secure permissions
chmod 600 certs/*/private.key
chmod 644 certs/*/certificate.crt

# Backup certificates securely
tar -czf certificates-backup-$(date +%Y%m%d).tar.gz certs/
gpg --encrypt --recipient admin@yourcompany.com certificates-backup-*.tar.gz

Troubleshooting

🚫 Certificate Errors

“Certificate verify failed”

# Regenerate all certificates
make generate-docker-certs
make restart-ecp

“SSL handshake failed”

# Check certificate validity
openssl s_client -connect localhost:8443 -cert certs/client/client.crt -key certs/client/client.key

# Should show: Verify return code: 0 (ok)

“Permission denied”

# Fix certificate permissions
sudo chown -R $USER:$USER certs/
chmod -R 600 certs/*/private.key
chmod -R 644 certs/*/certificate.crt

🔧 Common Fixes

# Clean and regenerate everything
make clean-certs
make generate-docker-certs

# Test certificate setup
make test-certificates

# Verify service can start
make ecp-status

Integration with External Systems

🌐 Load Balancer Integration

# Export certificates for load balancer
make export-certs-for-lb

# Creates:
# - lb-server.crt (for load balancer)
# - lb-server.key (for load balancer)
# - ca-bundle.crt (for client validation)

☁️ Cloud Integration

# Export for AWS Certificate Manager
make export-certs-aws

# Export for Azure Key Vault
make export-certs-azure

# Export for Google Cloud Certificate Manager
make export-certs-gcp