# Client Certificate Creation for Signing and mTLS **Introduction** > This document outlines the technical specifications for generating a client certificate for the mobile application. This certificate will be used for signing operations and mutual Transport Layer Security (mTLS) authentication. **Actors and Participants** * **Mobile App:** Provides the user interface and interacts with backend services. * **Flutter SDK:** Software development kit used by the mobile app for secure communication and certificate management. * **Certificate Service (CS):** Manages certificate issuance, secure storage, and communication with the mobile app through the SDK. **Functionality** 1. **Mobile App Initiates:** The mobile app triggers certificate creation through the token service. 1. **Secure Connection:** The mobile app leverages the Flutter SDK to establish a secure connection (e.g., HTTPS) with the Certificate Service (CS). 1. **Private Key Generation:** The CS generates a private key for the mobile app. (Note: This private key should be securely stored within the mobile app's secure enclave or virtual smartcard environment.) 1. **Certificate Signing Request (CSR):** The mobile app (via Flutter SDK) generates and sends a CSR to the CS. The CSR typically includes the mobile app's public key and relevant identification information. 1. **CSR Validation:** The CS validates the CSR for authenticity and completeness. 1. **Certificate Issuance:** If valid, the CS signs the CSR using its own private key and certificate, issuing a client certificate for the mobile app. 1. **Secure Certificate Delivery:** The CS securely transmits the client certificate back to the mobile app through the Flutter SDK. 1. **Secure Storage:** The mobile app (via Flutter SDK) securely stores the client certificate alongside the private key within the secure enclave or virtual smartcard environment. **Security Considerations** * All communication between the mobile app (via Flutter SDK) and the CS should be secured using protocols like HTTPS. * The private key generated for the mobile app must be securely stored within the mobile app's secure enclave or virtual smartcard environment. It should never be transmitted or stored on the server. * The CSR should be generated securely within the mobile app environment. * The CS should verify the authenticity and validity of the CSR before issuing the client certificate. **Technical Requirements** * The mobile app development should utilize the Flutter SDK for secure communication and certificate management. * The CS should implement secure protocols for certificate issuance and management. * The mobile app environment should have a secure enclave or virtual smartcard capability for storing the private key and client certificate. **Defining Algorithms and Key Lengths** **Private Key:** * **Algorithm:** RSA (Rivest–Shamir–Adleman) is a widely used and well-established algorithm for public key cryptography. It offers a good balance of security and performance. * **Key Length:** The recommended minimum key length for the private key is 2048 bits. This provides a strong level of security against current attacks. However, depending on security requirements and computational limitations, you might consider using a larger key size like 4096 bits. **Client Certificate:** * **Signature Algorithm:** The certificate should use a strong signature algorithm to ensure the integrity of signed data. Two common options are: ** **SHA-256 with RSA (RSASSA-PKCS1-v1.5):** This is a mature and widely supported option. ** **ECDSA with P-256 or P-384 curve:** Elliptic Curve Digital Signature Algorithm (ECDSA) offers better performance with shorter key lengths compared to RSA. However, it may have slightly less widespread support. * **Key Usage Extension:** The certificate should include the keyUsage extension with appropriate flags set. Common flags for this scenario include: ** **digitalSignature** - Allows the certificate to be used for signing operations. ** **keyEncipherment** - Allows the certificate to be used for key exchange during mTLS. **Sequence Diagram**  **Open Issues/Next Steps** * Specify the content and format of the CSR generated by the mobile app. * Determine the certificate validity period and renewal process. ```plantuml @startuml actor Kullanıcı participant Uygulama participant "Flutter SDK" as SDK participant "Token Servisi" as TS participant "Sertifika Servisi" as CS TS -> TS : Cihaz Kaydı Tamamlandıktan Sonra note right PIN varsa tekrar girmesini isteyebiliriz end note TS -> CS : Kullanıcının PIN'inin olup olmadığını sor alt yok CS -> SDK : Kullanıcıdan PIN seçmesini iste SDK -> Uygulama: PIN gerekli Uygulama -> Kullanıcı: Çevrimiçi PIN tanımlamasını iste\nPIN tüm cihazlar için aynıdır Kullanıcı -> Uygulama: Çevrimiçi PIN gir Uygulama -> SDK: Çevrimiçi PIN kaydını başlat SDK -> SDK: Çevrimiçi PIN'i hash'le SDK <-> CS: TLS bağlantısı kur (mTLS değil) SDK -> CS: Hashlenmiş PIN'i gönder CS -> CS: Çevrimiçi PIN'i tekrar salt+hash'le\nve cihaz kimliği ile birlikte veritabanına kaydet end CS -> CS: Kullanıcı Genel Anahtarı için sertifika oluştur\n(CA) ve Kullanıcı, cihaz kimliği, token kimliği ile birlikte veritabanına kaydet CS -> SDK: Sertifikaları ve SDK özel anahtarını sanal akıllı karta kaydet (SE değil) CS -> CS: SDK özel anahtarını sil SDK -> SDK: Sertifikaları ve SDK özel anahtarını sanal akıllı karta kaydet (SE değil) SDK -> Uygulama: Kayıt Tamamlandı Uygulama -> Kullanıcı: Kayıt tamamlandı @enduml ```