WebAuthn, Passkey, FIDO2, U2F provider certificates

See also

• Logging in via WebAuthn, Passkey, FIDO2

• Login confirmation with WebAuthn, Passkey, FIDO2, U2F

Blitz Identity Provider allows you to remap the list of intermediate and root certificates of security key providers (WebAuthn, Passkey, FIDO2, U2F). To do this, in the blitz.prod.local.idp.webAuthn.trustedStores settings block, specify the settings containing the type (type), file path (path) and password (password) of access to the key container to be used to verify the signature of attestation objects generated during security key registration. The standard key container is automatically updated when new versions of Blitz Identity Provider are installed and contains current root and intermediate certificates of TPM modules, FIDO, as well as Apple and Google certificates required to verify the signature of attestation objects. If you want to restrict security keys to devices from specific vendors, you must remove unnecessary root and intermediate certificates from the key container.

Example of configuration:

"webAuthn" : {
    …
    "trustedStores" : [
        {
            "password" : "*****",
            "path" : "webAuthn-trusted-ca.jks",
            "type" : "jKS"
        }
    ],
    …
}