# Connecting to Transparent APIs ## SSL/TLS Certificates There are four certificates in play when connecting to the Transparent APIs of the KPN RSP Gateway. ![](https://1245844536-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHHMirZRFrp5WGM4K55%2F-MMv5exsE12cOmojM9Bd%2F-MMv8B5u7yXeBhdEeVCB%2Fimage.png?alt=media\&token=26bb32ba-bbb6-4c72-be02-46ac680aecd0) ### Your server certificate Your server should expose a properly configured server certificate on the endpoints where we post Callbacks or Notifications to your server. * Your server certificate should be signed by a root CA that is trusted in the default Java Trust Store. * It should be an OV certificate. We do not support self-signed server certificates. You can use the [SSL Server Test from Qualys](https://www.ssllabs.com/ssltest/index.html) to check if your certificate is trusted by the Java trust store: ![The result of the SSL Server Test indicating the certificate is trusted by Java.](https://gblobscdn.gitbook.com/assets%2F-LLBY41QW77zfazx1q0b%2F-LS-h0vSxdgor8b_zCOG%2F-LS-qD6DmohqBNuizUsY%2Fimage.png?alt=media\&token=371aa8aa-ed49-44eb-b014-71ee8dc0b6b7) You should renew your server certificate in time. ### Your client certificate Your client certificate should be signed by a root CA that is part of the [Mozilla CA Information Report](https://ccadb-public.secure.force.com/mozilla/CAInformationReport). We do not support self-signed client certificates. You should renew your client certificate in time. {% hint style="info" %} After you installed your client certificate, we need to know: * The subject of your client certificate, containing the common name {% endhint %} ### Our server certificate Our server certificate on `rsp.kpnthings.com` is signed by [Sectigo RSA Domain Validation Secure Server CA](https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates). ### Our client certificate We prefer to use our publicly signed client certificate for connections to your system. Our publicly signed client certificate is the same certificate as our server certificate. **If you accept our publicly signed client certificate, we would not need an annual joint certificate renewal process.** If you prefer to have our client certificate signed by your private PKI, this is also an option. When you sign our client certificate yourself, you should take into account: * We will do a renewal of this certificate **every year in March**, which is a manual process through email. * Make sure your certificate is valid for at least one year and two months, giving yourself and us enough time to finish renewal before the old certificate expires. {% hint style="warning" %} We can only install one client certificate at a time for a given connection. This means your server should support accepting multiple KPN client certificates at a time to prevent downtime when renewing certificates. {% endhint %} ## IP addresses The following two IP addresses should be used when configuring IP whitelisting on your side. | To RSP Gateway | From RSP Gateway | | -------------- | ---------------- | | 194.122.128.38 | 194.122.128.33 | ## Notification interface The following two URI's should be shared with KPN if you want to receive notifications. * Destination URI: HTTPS endpoint where to deliver notifications. * Entity Address URI: URI used for identification.