Client Registration¶
Overview¶
Clients are applications or services that interact with the LAAVAT Platform API to perform cryptographic operations such as signing, encryption, and certificate issuance. Before a client can use the platform, it must be registered with appropriate credentials and linked to one or more products.
The Client Registration page in the GUI provides tools to create, view, and manage client registrations. Each registration associates a client identity (defined by a certificate or public key) with a specific client type and product.
Planning client registrations
Before registering a client, ensure that the target product has been created and that the appropriate features and PKI configurations are in place. A client registration links to a product by its UUID, so the product must exist first.
Client Types¶
Each client registration must specify a client type that determines which operations the client is authorized to perform. The available client types are:
| Client Type | Description | Typical Use Case |
|---|---|---|
| Security Engineer | Full access to product operations including signing, encryption, and certificate management. | Development and security teams managing PKI and signing workflows. |
| CB Tester | Access to testing and validation operations. | Quality assurance and compliance testing teams. |
| Production PC | Access to production signing and encryption operations. | Automated build and release pipelines in manufacturing or CI/CD environments. |
| Issue Device Certificate CA | Authority to issue device certificates at the CA level. | Services managing device certificate issuance for a fleet of devices. |
| Issue Device Certificate | Permission to request individual device certificates. | Individual devices or device provisioning services requesting their own certificates. |
| EST Issue Device Certificate CA | Authority to issue device certificates through the EST protocol at the CA level. | EST-integrated services managing automated device enrollment. |
| EST Issue Device Certificate | Permission to request device certificates through the EST protocol. | Devices enrolling for certificates via EST endpoints. |
Choosing the correct client type
The client type cannot be changed after registration. If you need to modify a client's type, you must delete the existing registration and create a new one. Choose carefully based on the operations the client needs to perform.
Certificates and Keys¶
Client identity in the LAAVAT Platform is established through cryptographic credentials. Each client registration requires one of the following:
X.509 Certificates¶
Provide a PEM-encoded X.509 certificate to identify the client. The platform uses the certificate's public key to authenticate API requests signed by the client.
-----BEGIN CERTIFICATE-----
MIIBxTCCAWugAwIBAgIUQ3mK...
...
-----END CERTIFICATE-----
Certificate requirements
- The certificate must be in PEM format (Base64-encoded DER wrapped in
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----headers). - Self-signed certificates are accepted; the platform does not validate the certificate chain for client authentication.
- Ensure the certificate has not expired. Expired certificates will be rejected during API authentication.
Public Keys¶
Alternatively, provide a PEM-encoded public key if you do not want to use a full X.509 certificate.
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQE...
...
-----END PUBLIC KEY-----
Product Association¶
Every client registration must be linked to a product via its Product ID (UUID). This association determines which product's resources (CAs, features, signing keys) the client can access.
| Field | Format | Description |
|---|---|---|
| Product ID | UUID (e.g., 550e8400-e29b-41d4-a716-446655440000) |
The unique identifier of the product this client is authorized to access. |
One product per registration
A single client registration is associated with exactly one product. If a client application needs access to multiple products, create separate registrations for each product.
Registration Workflow¶
Creating a New Client Registration¶
- Navigate to Clients > Registration.
- Click Add Client (or the equivalent action button).
- Fill in the required fields:
- Client Name -- A human-readable name for the client.
- Client Type -- Select from the available client types.
- Product ID -- Enter the UUID of the target product.
- Certificate or Public Key -- Paste the PEM-encoded certificate or public key.
- Click Save to create the registration.
Viewing Existing Registrations¶
The registration list displays all currently registered clients with the following information:
| Column | Description |
|---|---|
| Client Name | The display name of the registered client. |
| Client Type | The type of operations the client is authorized to perform. |
| Product | The product the client is associated with. |
| Created | The date and time the registration was created. |
Deleting a Client Registration¶
To remove a client registration:
- Locate the client in the registration list.
- Click the Delete action.
- Confirm the deletion in the dialog.
Deletion is permanent
Deleting a client registration immediately revokes the client's access to the platform API. Any in-flight operations by the client may fail. Ensure that the client is no longer in active use before deleting its registration.
Troubleshooting¶
| Issue | Possible Cause | Resolution |
|---|---|---|
| Client cannot authenticate with the API | Certificate has expired or does not match the registered credential | Re-register the client with a valid certificate or public key |
| Product ID is rejected during registration | The UUID does not correspond to an existing product | Verify the product exists and copy the correct UUID from the Products page |
| Client receives "unauthorized" for an operation | The client type does not include the required permission | Delete the registration and re-create it with the correct client type |