Availability gateway: Setting up certificate-based mutual authentication

StarkEx communicates with your application via https, using SSL, to enable mutual authentication. StarkEx uses self-signed certificates, with StarkEx as the certificate authority (CA). You send StarkEx a certificate signing request (CSR), we sign it, and return two files: user.crt and our server.crt.

Procedure
  1. Create a configuration file for the availability gateway, with any name, such as user.conf, with the following content:

    [req]
    default_bits = 2048
    prompt = no
    default_md = sha256
    distinguished_name = dn
    
    [ dn ]
    CN = <public_key>

    Where <public_key> is the Ethereum public key of the committee member, in checksum format.

  2. Generate the user key for the availability gateway, where <availability_gw_user.key> is the name of the output file with the key:

    $ openssl genrsa -out <availability_gw_user.key> 4096

    This is a private key. Do not share it.

  3. Generate the certificate request for the availability gateway, where <user.csr> is the name of the output file with the certificate request:

    $ openssl req -new -key <availability_gw_user.key> -out <availability_gw_user.csr> -config user.conf
  4. Generate the user key for the StarkEx gateway, where <StarkEx_gw_user.key> is the name of the output file with the key:

    $ openssl genrsa -out <StarkEx_gw_user.key> 4096

    This is a private key. Do not share it.

  5. Generate the certificate request for the StarkEx gateway, where <StarkEx_gw_user.csr> is the name of the output file with the certificate request:

    $ openssl req -new -key <StarkEx_gw_user.key> -out <StarkEx_gw_user.csr>
  6. Send the CSRs you generated to StarkEx via any communication channel, such as Slack, Telegram, or email.

  7. StarkWare prepares and sends you two sets of signed certificates named user.crt and server.crt: One set for the availability gateway and one set for the StarkEx gateway.

  8. Install the certificate files in your enviroment, along with the user key.

Mutual authentication is now enabled.

Verifying certificate-based mutual authentication

Enter the following command:

$ curl --cert user.crt --cacert server.crt --key user.key <StarkEx GW URL>/v2/gateway/is_alive

The StarkEx gateway uses the secure http protocol, so the URL begins with https.

You should see a result similar to the following:

GatewayServiceVersion2 is alive!