Outbound Mutual Authentication Setup

mholt
Tera Contributor

Hi,

I'm working on setting up mutual authentication for our SNOW instances and just cannot get my head wrapped around what we're supposed to do, no matter how many docs I read.

Starting with KB0696002 and setting up our certificate, it sounds like I need to run the keytool command with the steps given in A to generate a key store (I have the platform admin doc with the specific commands). We have an internal team that generates certificates for us for domains we own -- I would have them generate a certificate for whatever domain I want (e.g., myauth.mydomain.com), and use that and any root/intermediate certs for steps 3 and 4 when creating the keystore?

So -- I would generate a keystore first, then send that output over to our internal team to generate a certificate for a company-owned domain (myauth.mydomain.com). They would generate the certificate, then send me that certificate and any others in the chain (root, intermediate). I'd then continue with step 3 as needed, then step 4 with the certificate for myauth.mydomain.com. Are those the correct steps, and I'd import the finished keystore into SNOW?

I think I'm good with the rest of the steps. Thank you!

Marc

4 REPLIES 4

_ChrisHelming
Tera Guru

When I went through the process I had to the other team generate the entire java keystore and send me that along with a password for the keystore. I uploaded the keystore, added the password and then was all set.

I don't think you need a "public" signed cert as long as both apps trust the keystore.

Thanks Chris!  I think this is getting me on the right track -- did the other team provide a PEM or DER format certificate to you as well for sharing with the other application?

Both the keystore and the cert were on sys_certificate. The cert was stored as a DER format trust store type with a .cer attachment.

I don't think we shared a certificate with them (I assume it was in the keystore?), but it's possible they just pulled the cert from our instance themselves. 

Ok, great, thank you!