SecureBlackbox 2020 macOS Edition

Questions / Feedback?

Configuring TSA authentication

Configuring TSA service authentication

Some TSA services require connecting clients to authenticate themselves. They may want to do so to limit anonymous connections, or to provide timestamping services on a paid basis.

TSAs normally use on of the following methods to authenticate requestors:

  • HTTP authentication (basic, digest, or NTLM)
  • TLS certificate-based authentication

To authenticate to services that rely on HTTP authentication provide your credentials straight in the URI:

  pdfsigner.TimestampServer = "";

Use the following three steps to implement authentication with TLS client certificate:

1. Subscribe to OnTLSCertValidate event. This event fires on an early stage of every TLS connection established by the component. In most cases the connection to the TSA service would be the only TLS connection established by the component during the signing operation. However, in certain cases the component may need to connect other services, mainly CRL or OCSP responders, too.

2. In the event handler, check ServerHostname and ServerIP parameters to confirm that the connection is made to the TSA. If the host name doesn't match the TSA's, exit the event handler. Otherwise, check whether the server asked you to authenticate using TLSClientAuthRequested config property:

string authReq = signer.Config("TLSClientAuthRequested");

3. If the authentication has been requested, add your client certificates to the ClientChain collection. The component will do the rest.

You can load the certificate using Certificatemanager or Certificatestorage classes, depending on its location. Note that the server may be configured to expect the entire certificate chain and not only the signing certificate - in which case add the whole chain to ClientChain, starting from your end-entity certificate.

Copyright (c) 2022 /n software inc. - All rights reserved.
SecureBlackbox 2020 macOS Edition - Version 20.0 [Build 8165]