Frequently Asked Question
It is essential to trust and verify client certificate before connection.
Same parameters are used for server certificates as well. Here below there is description of the rules and processes in general:
PKI (Root and Issuing Certificate Authority) that is used to issue a client certificate, which you need to use in order to authenticate to TaxCore Prod API web site, it is also used to issue a server certificate. We prefer that our users verify the Web Site certificate, and PKI in use maintain verification points.
We don’t go into implementation into how users will use client certificate to authenticate to the web site. Some will use Windows, some Linux, some others will use embedded devices, java, .Net or other platforms. It is common that users trust and verify client certificates before use, at least in user context if not in system context. We will definitely verify client certificate at point of authentication.
We decided to use the same PKI for web server certificates. This is not intended to be used by users in browsers, it is intended to be used by applications that need some adaptations and that should verify client certificates before use – for that you should trust PKI in use and verify server certificate using the same PKI.