TLS Certificates

Before any communtication is done with the KMEs, a client needs to have the proper certificates for authentication by the KME through mutual TLS authentication.

Every certificate comes with the corresponding private key and the CA chain of the certificate. There are two ways to implement this:

  1. The QKD device controller issues a client certificate signed by the KME.

  2. The Administrator can install certificates issued by a specific root CA (or certificate chains belonging to the specified SAE).

For more information on the QKD device controller role, refer to Controller Overview

Method 1: KME-issued client certificate

The QKD device controller can issue client certificates to SAEs through the KME. This requires the SAE to generate a certificate signing request (CSR), with the X.509 Subject fields specified according to the certificate policies set by the QKD device controller. If no such policy exists, we recommend the following attributes for easier certificate management:

  1. CN - Common Name

  2. C - Country Name

  3. S - State or Province Name

  4. O - Organization Name

  5. OU - Organization Unit Name

The CSR can be generated from RSA or EC-based private keys. The QKD device controller is expected to return the issued certificate and CA chain for use by the SAE.

Tip

As of 2021, a minimum key length of 2048-bit RSA or 256-bit ECC for client certificate signing is strongly recommended.

Warning

The private key should be generated by the SAE and not shared with the QKD device controller for security. While it is also possible for the QKD device controller to generate a key-certificate pair and pass both directly to the client, this practice is not recommended.

Method 2: Install external certificates on KME

The KME can alternatively authenticate individual SAE or groups of SAEs that do not belong to the KME certificate chain. This is achieved by the Administrator installing the certificate chain that is already available on the SAE into the KME. Other than providing the SAE’s full certificate chain to the Administrator, no further action by the SAE is necessary.