# Appendix I- Client Certificate Authentication

In this section, we provide an example of how to use client certificate authentication to make a Whois Update via the REST API.

One advantage of this method is that no secret is shared with the Whois server during the request. However, one drawback is that getting started is more complicated than other authentication methods.

# Generate a Self-signed Certificate

First generate a self-signed x509 certificate using OpenSSL, along with a private key, in a single step.

$ openssl req -x509 -days 365 -newkey rsa:4096 -sha384 -subj "/C=NL/CN=ripe.net" -keyout client-key.pem -nodes -out client-cert.pem

A signed x509 certificate from a Certificate Authority can also be used, but Whois does not verify the trust path to the CA, only the signature against the certificate.

# Convert Certificate to ASCII

Next display the certificate as ASCII, which is a base64 encoded version of the binary (PEM) certificate file, which is necessary to create a key-cert object.

$ openssl x509 -in client-cert.pem
-----BEGIN CERTIFICATE-----
MIIFITCCAwmgAwIBAgIUHD8QpV+IvEVs/pDVK3Ml63TNJUgwDQYJKoZIhvcNAQEM
BQAwIDELMAkGA1UEBhMCTkwxETAPBgNVBAMMCHJpcGUubmV0MB4XDTI0MDUxNDEz
NDQyNloXDTI1MDUxNDEzNDQyNlowIDELMAkGA1UEBhMCTkwxETAPBgNVBAMMCHJp
cGUubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAssEU+sbcX9YB
UH/qX9qbF63elLlLmYFZ2LR119qgqQqYQURO6onCimEJFlbL90c7TDkRcBoyMtzm
KP3kSuiIWOZpxGcmUtGnoiry9q5thxp60lZNad/Yi59PyTrs8DRo24ebPSKCa1FS
edpFYwP1b0o61ipDARGldx0qtbSXZOujxgicQTZxLjakMUKltjLczGN6lXpblM0a
vZNbL6tTNan3p5Y/0gAVBtvEQtAc0z2wqmzpWPmXmOs1nucIqRUlJoHwecmSN3zf
1lYwFn+baDOQpTo6oFttZYJfhWFvWLEKDw1nscvPeq0q9/yHVJpi54L7osPb/P0P
mI1CTtROe6fG5+zshHxolqdWNwdOJ1q1+/tMglzWq6NOpf5ZBK06wUrdygNl5Adi
7ToxNmFA1OUD8bx2FxyAEzByEOm46NOeNLwszn1hoTvtm1hJ7TAMKCnHbyEF67qh
uY6f8mJzeYO6PWTIl90vz2HCYcN9Ij6M4dsQA/w52kQ7Wld1xpRacaCVK+hC0W1J
lZeHaqCbwdfa4jgVXOGFrnnwU8Iy5H7b4U3ukx5hT9aq6mGA6W9VxcYRuArtlU1f
9iPYRtAVOebHnW6FNGdyGmoeofqOsZoXI21J8vq2o4JEEsz1vu+JtNgBcat7buYt
bUHrbF840tWsA8IgzMiQkIkfzy9meA8CAwEAAaNTMFEwHQYDVR0OBBYEFFLJKFpY
3vmlUVaQ9qgo59QRodfuMB8GA1UdIwQYMBaAFFLJKFpY3vmlUVaQ9qgo59QRodfu
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAIX+S5jwBueCo3Ka
u+sqCr5eP2DZKmTrUEJPf5NW0k5FBKtmVzkBDXobL7ipctmlmehvEzF9gLgLJhnL
lekKdyWrgbunHTfeRFl1jxC8js1p4t9BNQ+wpqgom8/V1F9pNRGDzVDS5arok0OU
xoAThRqS22DX6JMSDmvTF/DnRZ71j1quLf7eUVjdLA8J1Dwvz4YfiYseQEvGAxvY
u3+ZrA1qScImHv1WERETskiAjy5GxpxMW19WIZtBJ3d3QTo4wIrsd050F9ecF2Zs
Up7/pcv+vNxr/TgfO1l9yuJzzDJyklaumkeOwWvqHz/t6SIisgxAMMFlvAiYvYgC
uh3UHrPEVG/x4Z5RNBqSb+7Mk08jGrVj5qUhtD6FyeJ53uOM1jQQEAZ+G1zsZZzw
x80fSveD5QXj5pzgzLvP0nlk3m5cJEu4FILtzVol1TX4QQXDdeYOCwNK2393ac56
vCxGxD4oqaYyZa3FzOrjWSDlBwhynd+OCq2PvIw7wLIYxq7UuZ77W3QL6/LRRzrs
X17yf8Ux8feNJwKke/L3mq6QBZ9wzoadK+XjTQYWQCbj6WlH9QEYpmFS/XCz5kfQ
sUI9iChbKvcWOFFPID+XMbzKMgbSvP6aBzOhbUz3b9Tn4qfn9Yp2YWpPci7RrvlK
lECvj7YuYAysqbZKiulSN6N3OKHd
-----END CERTIFICATE-----

# Create Key-cert Object

Next use the ASCII encoded certificate to create a key-cert object in the RIPE database, using Syncupdates or Mailupdates. Use "AUTO-1" as a placeholder for the primary key.

key-cert:        AUTO-1   
certif: -----BEGIN CERTIFICATE-----
certif: MIIFITCCAwmgAwIBAgIUHD8QpV+IvEVs/pDVK3Ml63TNJUgwDQYJKoZIhvcNAQEM
certif: BQAwIDELMAkGA1UEBhMCTkwxETAPBgNVBAMMCHJpcGUubmV0MB4XDTI0MDUxNDEz
certif: NDQyNloXDTI1MDUxNDEzNDQyNlowIDELMAkGA1UEBhMCTkwxETAPBgNVBAMMCHJp
certif: cGUubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAssEU+sbcX9YB
certif: UH/qX9qbF63elLlLmYFZ2LR119qgqQqYQURO6onCimEJFlbL90c7TDkRcBoyMtzm
certif: KP3kSuiIWOZpxGcmUtGnoiry9q5thxp60lZNad/Yi59PyTrs8DRo24ebPSKCa1FS
certif: edpFYwP1b0o61ipDARGldx0qtbSXZOujxgicQTZxLjakMUKltjLczGN6lXpblM0a
certif: vZNbL6tTNan3p5Y/0gAVBtvEQtAc0z2wqmzpWPmXmOs1nucIqRUlJoHwecmSN3zf
certif: 1lYwFn+baDOQpTo6oFttZYJfhWFvWLEKDw1nscvPeq0q9/yHVJpi54L7osPb/P0P
certif: mI1CTtROe6fG5+zshHxolqdWNwdOJ1q1+/tMglzWq6NOpf5ZBK06wUrdygNl5Adi
certif: 7ToxNmFA1OUD8bx2FxyAEzByEOm46NOeNLwszn1hoTvtm1hJ7TAMKCnHbyEF67qh
certif: uY6f8mJzeYO6PWTIl90vz2HCYcN9Ij6M4dsQA/w52kQ7Wld1xpRacaCVK+hC0W1J
certif: lZeHaqCbwdfa4jgVXOGFrnnwU8Iy5H7b4U3ukx5hT9aq6mGA6W9VxcYRuArtlU1f
certif: 9iPYRtAVOebHnW6FNGdyGmoeofqOsZoXI21J8vq2o4JEEsz1vu+JtNgBcat7buYt
certif: bUHrbF840tWsA8IgzMiQkIkfzy9meA8CAwEAAaNTMFEwHQYDVR0OBBYEFFLJKFpY
certif: 3vmlUVaQ9qgo59QRodfuMB8GA1UdIwQYMBaAFFLJKFpY3vmlUVaQ9qgo59QRodfu
certif: MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAIX+S5jwBueCo3Ka
certif: u+sqCr5eP2DZKmTrUEJPf5NW0k5FBKtmVzkBDXobL7ipctmlmehvEzF9gLgLJhnL
certif: lekKdyWrgbunHTfeRFl1jxC8js1p4t9BNQ+wpqgom8/V1F9pNRGDzVDS5arok0OU
certif: xoAThRqS22DX6JMSDmvTF/DnRZ71j1quLf7eUVjdLA8J1Dwvz4YfiYseQEvGAxvY
certif: u3+ZrA1qScImHv1WERETskiAjy5GxpxMW19WIZtBJ3d3QTo4wIrsd050F9ecF2Zs
certif: Up7/pcv+vNxr/TgfO1l9yuJzzDJyklaumkeOwWvqHz/t6SIisgxAMMFlvAiYvYgC
certif: uh3UHrPEVG/x4Z5RNBqSb+7Mk08jGrVj5qUhtD6FyeJ53uOM1jQQEAZ+G1zsZZzw
certif: x80fSveD5QXj5pzgzLvP0nlk3m5cJEu4FILtzVol1TX4QQXDdeYOCwNK2393ac56
certif: vCxGxD4oqaYyZa3FzOrjWSDlBwhynd+OCq2PvIw7wLIYxq7UuZ77W3QL6/LRRzrs
certif: X17yf8Ux8feNJwKke/L3mq6QBZ9wzoadK+XjTQYWQCbj6WlH9QEYpmFS/XCz5kfQ
certif: sUI9iChbKvcWOFFPID+XMbzKMgbSvP6aBzOhbUz3b9Tn4qfn9Yp2YWpPci7RrvlK
certif: lECvj7YuYAysqbZKiulSN6N3OKHd
certif: -----END CERTIFICATE-----
mnt-by: SHRYANE-MNT
source: RIPE

The generated primary key is returned in the response.

# Add Authentication Method to Maintainer

From the previous step, the created key-cert object has a generated primary key "X509-3571".

Now add the authentication method to the maintainer with an additional "auth:" attribute with a value "X509-3571", so the certificate can be used to authenticate updates as that maintainer.

# Lookup An Object

Now update an object using the certificate to authenticate.

First lookup a PERSON object ES7554-RIPE as JSON and save to file.json. You must use the unfiltered query parameter to request the full object including attributes that may contain personal data.

$ curl -o file.json https://rest.db.ripe.net/ripe/person/ES7554-RIPE.json?unfiltered

You can also authenticate a MNTNER lookup with a client certificate, which will return the mntner including full auth: attribute values. Be sure to also include the unfiltered query parameter to return attributes that may contain personal data.

$ curl -o file.json --key client-key.pem --cert client-cert.pem https://rest-cert.db.ripe.net/ripe/person/ES7554-RIPE.json?unfiltered

# Update An Object

Next modify the remarks: attribute value in file.json and submit an update, authenticating with the client certificate.

$ curl -v --header "Content-type: application/json" -d @file.json -X PUT --key client-key.pem --cert client-cert.pem https://rest-cert.db.ripe.net/ripe/person/ES7554-RIPE.json

The PERSON object has been updated successfully.