Connecting to Transparent APIs

SSL/TLS Certificates

There are four certificates in play when connecting to the Transparent APIs of the KPN RSP Gateway.

Your server certificate

Your server should expose a properly configured server certificate on the endpoints where we post Callbacks or Notifications to your server.
  • Your server certificate should be signed by a root CA that is trusted in the default Java Trust Store.
  • It should be an OV certificate.
We do not support self-signed server certificates. You can use the SSL Server Test from Qualys to check if your certificate is trusted by the Java trust store:
The result of the SSL Server Test indicating the certificate is trusted by Java.
You should renew your server certificate in time.

Your client certificate

Your client certificate should be signed by a root CA that is part of the Mozilla CA Information Report. We do not support self-signed client certificates.
You should renew your client certificate in time.
After you installed your client certificate, we need to know:
  • The subject of your client certificate, containing the common name

Our server certificate

Our server certificate on is signed by Sectigo RSA Domain Validation Secure Server CA.

Our client certificate

We prefer to use our publicly signed client certificate for connections to your system. Our publicly signed client certificate is the same certificate as our server certificate. If you accept our publicly signed client certificate, we would not need an annual joint certificate renewal process.
If you prefer to have our client certificate signed by your private PKI, this is also an option. When you sign our client certificate yourself, you should take into account:
  • We will do a renewal of this certificate every year in March, which is a manual process through email.
  • Make sure your certificate is valid for at least one year and two months, giving yourself and us enough time to finish renewal before the old certificate expires.
We can only install one client certificate at a time for a given connection. This means your server should support accepting multiple KPN client certificates at a time to prevent downtime when renewing certificates.

IP addresses

The following two IP addresses should be used when configuring IP whitelisting on your side.
To RSP Gateway
From RSP Gateway

Notification interface

The following two URI's should be shared with KPN if you want to receive notifications.
  • Destination URI: HTTPS endpoint where to deliver notifications.
  • Entity Address URI: URI used for identification.