Skip to content

Commit

Permalink
Update cert encoding description, add openssl commands (#23)
Browse files Browse the repository at this point in the history
  • Loading branch information
shreyav authored Mar 22, 2024
1 parent f440b2e commit 66d23af
Showing 1 changed file with 11 additions and 3 deletions.
14 changes: 11 additions & 3 deletions umad-02-keys-and-authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,9 @@ endpoint returns a JSON object with the following structure:

```json
{
// Used to verify signatures from VASP1. PEM-encoded X.509 certificate string.
// Used to verify signatures from VASP1. Hex string representation of a DER-encoded X.509 certificate.
"signingCertificate": string,
// Used to encrypt TR info sent to VASP1. PEM-encoded X.509 certificate string.
// Used to encrypt TR info sent to VASP1. Hex string representation of a DER-encoded X.509 certificate.
"encryptionCertificate": string,
// [Optional] Sec since epoch at which these certificates must be revalidated or refreshed.
// If not specified, the certificates will not be cached.
Expand All @@ -46,7 +46,15 @@ self-signed certificates are a suitable solution for key exchange. VASPs can cre
the public keys generated above using common tools such as `openssl`, and expose these certificates to counterparties
via the public API outlined above. It is important to note that self-signed certificates don't provide a good
revocation mechanism, so it is recommended to use a short caching duration (on the order of a few minutes) to minimize
the risk of key compromise.
the risk of key compromise. To generate a self-signed X.509 certificate wrapping the public key generated above, run:

```bash
# Generate an x509 certificate from your existing ec_key.pem above:
$ openssl req -new -x509 -key ec_key.pem -sha256 -nodes -out ec_crt.crt -days <expiration in days>

# Print out the PEM representation of the certificate:
$ openssl x509 -in ec_crt.crt -outform PEM
```

Because the `/.well-known/lnurlpubkey` endpoint is hosted directly on the VASP's domain, it is easy for other VASPs to
verify that the keys they receive are actually from the VASP they are trying to communicate with. It does, however,
Expand Down

0 comments on commit 66d23af

Please sign in to comment.