Considerations when generating keys for OFTP

Top  Previous  Next

In order to ensure interoperability with trading partners when using TLS to secure your OFTP data transfers, we suggest you take the following into consideration when generating server keys for your OFTP service.

 

Note: The cryptographic algorithms that will be used in OFTP TLS connections will require installation of the JCE Unlimited Strength Jurisdiction Policy Files if you're still using JDK/JRE 8, so we suggest you install those files first before generating your server keys if you're using JDK/JRE 8.

 

Key lengths

 

Generate keys with long key lengths. Although 1024-bits is still the minimum recommended key length in the OFTP2 Implementation Guideline as of this writing, several businesses who are using OFTP have already started employing 2048-bit keys.

 

 

Figure 276

 

clip0276

 

 

Server key Advanced Settings

 

In OFTP, the certificate associated with the server key is normally used for the following purposes:

 

digital signing
encryption
server authentication
client authentication

 

You can specify how a certificate will be used by ticking the appropriate check boxes in the Advanced tab of the Generate Server Key dialog.

 

Digital Signature - Check this if the certificate will be used for digital signing.
Key Encipherment - Check this if the certificate will be used for encryption
Server Auth -  OFTP always requires server authentication, so this check box should be checked at all times. Otherwise, the certificate may be rejected by other OFTP hosts.
Client Auth -  OFTP always requires client authentication, so this check box should be checked at all times. Otherwise, the certificate may be rejected by other OFTP hosts.

 

If a certificate will be used for both digital signing and encryption, then both Digital Signature and Key Encipherment should be checked.

 

Figure 277

 

clip0277