This reference article describes the client SSL certificates that are used to protect Signicat’s web services.
How Signicat’s web services are protected
Signicat’s web services are protected with:
- A static password
- A client SSL certificate
The password and SSL certificate should be used to access both the SOAP services and the REST services.
There is only one static password for a service. All applications that make a web service call to Signicat must use the same password. Applications should however not share the same client SSL certificate.
SSL certificate, unilateral server authentication
Signicat uses an SSL server certificate called VeriSign Secure Site Pro with EV. This certificate is pre-installed as a trusted root certificate in the certificate archive of most browsers. This enables secure communication between the end-users and Signicat.
In addition, our web services, SignatureService, DocumentAction and Archive, run on the HTTPS protocol and depend on this SSL server certificate.
Communication with SignatureService is based on unilateral server authentication, where the client knows the server’s identity. Signicat’s SSL certificate (or its root certificate) must be installed in the certificate store of the servers or applications where your integration with Signicat runs. You can read more about how to install Signicat’s SSL certificate in your environment in the references at the end of this document.
SSL certificates, bilateral server authentication
Access to our web services DocumentAction and Archive is based on bilateral server authentication, which is more secure.
With bilateral server authentication, both ends of the “conversation” can be assured with whom they are communicating. Signicat is already secured by the VeriSign SSL server certificate. Your web application must use a SSL service certificate issued by Signicat to verify your identity.
You can read more about how to get the SSL certificate here: Get a client SSL web service certificate