Client Certificate generation and configuration

Roche DC has its own Certificate Authority and it is responsible for generating the client certificates when Certificate Request is provided by the client. The certificates are generated as 2048-bit RSA key pair and SHA-256.

The following steps are required in order to generate the client certificate and establish the connection with Roche:

Generate Client Certificate Signing Request

1. Generate Key (Example): openssl genrsa -out company.qaeu.client.key 2048

2. Generate Client Certificate Request (Example): openssl req -new -sha256 -key company.qaeu.client.key -subj "/C=ES/ST=Barcelona/L=Sant Cugat del Valles/O=Roche Diabetes Care Spain SL/OU=Roche Diabetes Care Spain SL/CN=_EMAIL.{env}@COMPANY.COM" -out company.qaeu.client.req.pem

   {env} possible values:

   • demo
   • prodeu

Subject Fields

C = Country ST = Test State or Province L = Test Locality O = Organization Name OU = Organizational Unit Name CN = Email Company System (Must have the environment code in the email)

3. Provide *.csr file to Roche DC.

Configure client keystore and truststore

In order to connect to Roche ecosystem using mutual authentication, there are two main elements it is needed to work with: keystores, which contain a client’s private key, and truststore, which contain public certificates (Root CA and intermediates) to validate the certificate chain.

Root CA: Roche DC Global Digital Root CA

Intermediate level 1: Roche DC Global Digital Intermediate TESTUS CA

Intermediate level 2: Roche DC Global Digital Intermediate TESTUS ServerCert CA

Roche DC root and intermediates public certificates are available here: https://ca.rochedcplatform.com/