Certificate Requirements for Intel® Attestation Services

Intel Attestation Service (IAS) uses MTLS (Mutual Transport Layer Security) as an authentication mechanism. This means that both server (IAS) and client (Service Provider) must present valid x.509 certificates that can be used for authentication, both signed by a trusted certificate authority. Due to security concerns with previous versions of SSL/TLS protocol, IAS only accepts connections using TLS 1.2 (https://tools.ietf.org/html/rfc5246).

Service Provider Registration
In order to register the Service Provider (SP) with IAS, a valid (not expired or revoked) X.509 certificate that identifies the SP needs to be registered with IAS.

This certificate is used for client authentication and thus if the certificate contains Extended Key Usage extension, it needs to indicate that the certificate can be used for Client Authentication (1.3.6.1.5.5.7.3.2) (see: http://tools.ietf.org/rfc/rfc3280)

Certificate Details Screenshot

Other Certificate Requirements 
Certificate Development Services IAS Server Root of Trust Self- Signed* or Issued by a trusted CA

*- NOTE: In case of self-signed certificates: if Key Usage extension is present, then “keyCertSign” bit needs to be set. Additionally providing a self-signed certificate will provide other users of the service with the information that you are testing this service as MTLS protocol reveals a “certificate authorities” field. Use a certificate from a standard trusted CA to avoid this issue.

Certificate Verification Requirements
To authorize the certificate for use with IAS, it needs to pass the openssl verification. Please see below for verification steps for self-signed certificates and certificates signed by CA.

1. For self-signed certificates use following command (expected output: "OK"):

openssl verify -x509_strict -purpose sslclient -CAfile <sp-cert.pem> <sp-cert.pem> </sp-cert.pem></sp-cert.pem>

 

2. For leaf certificates use following command (expected output: "OK"):

openssl verify -x509_strict -purpose sslclient -CAfile <ca-cert.pem> <sp-cert.pem> </sp-cert.pem></ca-cert.pem>

 

where <ca-cert.pem> includes one or more CA certificates that issued <sp-cert.pem>. Full CA certificate chain needs to be provided (including root CA certificate).</sp-cert.pem></ca-cert.pem>

Note: When submitting a certificate for a SPID request, please provide us with a download URL for the location of your certificate, if you don't have an easy way of providing this, our representative will contact you via the email address you provide. The accepted formats of certificates for Development Service Access are: PEM, CER & CRT.

 

Related resources:

How to create Self-Signed Certificates for use with Intel® SGX Remote Attestation using OpenSSL

For more complete information about compiler optimizations, see our Optimization Notice.

1 comment

Top
jamason's picture

is the key used to register to the prodcution IAS the same one used sign production enclaves and which is whitelisted by Intel through the licence business agreement?

thanks

Add a Comment

Have a technical question? Visit our forums. Have site or software product issues? Contact support.