This rerefence article describes the client SSL certificates that is used to protect Signicats web services.
How web services are protected
Signicats web services are protected with:
- A static password
- A client SSL certificate
The password and SSL certificate should be used to access both the SOAP services and the REST services.
There is only one static password for a service. All applications that makes a web service call to Signicat must use the same password. Applications should however not share the same client SSL certificate.
SSL certificate, unilateral server authentication
Signicat is using a SSL server certificate called VeriSign Secure Site Pro with EV. This certificate is pre-installed as a trusted root certificate in the certificate archive of most browsers today. This enables secure communication between the end-users and Signicat.
Also our web services, SignatureService, DocumentAction and Archive, runs over the HTTPS protocol and depends on this SSL server certificate.
Communication with SignatureService is based upon so-called unilateral server authentication, where the client knows the server’s identity. Signicat’s SSL certificate (or its root certificate) must be installed in the certificate store of the servers or applications where your integration with Signicat runs. You may read more about how to install Signicat’s SSL certificate in your environment in the references at the end of this document.
SSL certificates, bilateral server authentication
Accessing our web services DocumentAction and Archive is based on bilateral server authentication, which is more secure.
In a bilateral server authentication both ends of the “conversation” can be assured with whom they are communicating. Signicat is already secured by the VeriSign SSL server certificate. Your web application must use a SSL service certificate issued by Signicat to verify your identity.
You may read more about how to get the SSL certificate here: Get a client SSL web service certificate