Connecting to Transparent APIs

SSL/TLS Certificates

There are four certificates in play when connecting to the Transparent APIs of the KPN RSP Gateway.

Your server certificate

Your server should expose a properly configured server certificate on the endpoints where we post Callbacks or Notifications to your server.

• Your server certificate should be signed by a root CA that is trusted in the default Java Trust Store.

• It should be an OV certificate.

You should renew your server certificate in time.

Your client certificate

You should renew your client certificate in time.

Our server certificate

Our client certificate

We prefer to use our publicly signed client certificate for connections to your system. Our publicly signed client certificate is the same certificate as our server certificate. If you accept our publicly signed client certificate, we would not need an annual joint certificate renewal process.

If you prefer to have our client certificate signed by your private PKI, this is also an option. When you sign our client certificate yourself, you should take into account:

• We will do a renewal of this certificate every year in March, which is a manual process through email.

• Make sure your certificate is valid for at least one year and two months, giving yourself and us enough time to finish renewal before the old certificate expires.

IP addresses

The following two IP addresses should be used when configuring IP whitelisting on your side.

Notification interface

The following two URI's should be shared with KPN if you want to receive notifications.

• Destination URI: HTTPS endpoint where to deliver notifications.

• Entity Address URI: URI used for identification.