[cabfpub] Using OV TLS server certificate as TLS client certificates only

Stefan Santesson stefan at aaa-sec.com
Thu Apr 29 18:27:10 UTC 2021


I would really appreciate this lists opinion on a matter being discussed
in the EU ongoing effort with establishing a Digital Green Certificate
(DGC) for Covid-19 vaccination and test results.

The time is very short as things must be in production in June.

The issue is:

The EU key exchange service (The DGC Gateway) will allow EU member
states to uppload their DGC signing certificates for sharing among EU

Each country uploading DGC signing certificates must then have a TLS
client certificate when connecting to the DGC Gateway.

So far so good.

However, today it was announced that this TLS client certificate MUST be
a Organization Validation (OV) certificate issued by a public CA
supported by current browsers.

Now, this is problematic, since the TLS client certificate is being used
by a backend application that is NOT acting as a TLS server. So in order
to get an OV certificate as TLS client certificate I simply need to either:

1) Make a copy of the private key installed in our web server and re-use
that key/certificate in my backend application as TLS client cert. Or:

2) Apply for a separate TLS Server certificate to be used as TLS client
certificate. However the backend application server will NOT act as a
TSL server and is not bound to any domain name (just an IP address for
outbound connections).

My guess is that both these alternatives must be some kind of violation
against CAB policy for TLS server certificates.

Am I right or wrong here?

This is quite urgent, If this is bad and we want to prevent this, I need
help with good arguments now.

Thanks a lot for reading and providing feedback!

/Stefan Santesson

More information about the Public mailing list