# Connecting to Transparent APIs ## SSL/TLS Certificates There are four certificates in play when connecting to the Transparent APIs of the KPN RSP Gateway. ![](https://1245844536-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHHMirZRFrp5WGM4K55%2F-MMv5exsE12cOmojM9Bd%2F-MMv8B5u7yXeBhdEeVCB%2Fimage.png?alt=media\&token=26bb32ba-bbb6-4c72-be02-46ac680aecd0) ### Your server certificate Your server should expose a properly configured server certificate on the endpoints where we post Callbacks or Notifications to your server. * Your server certificate should be signed by a root CA that is trusted in the default Java Trust Store. * It should be an OV certificate. We do not support self-signed server certificates. You can use the [SSL Server Test from Qualys](https://www.ssllabs.com/ssltest/index.html) to check if your certificate is trusted by the Java trust store: ![The result of the SSL Server Test indicating the certificate is trusted by Java.](https://gblobscdn.gitbook.com/assets%2F-LLBY41QW77zfazx1q0b%2F-LS-h0vSxdgor8b_zCOG%2F-LS-qD6DmohqBNuizUsY%2Fimage.png?alt=media\&token=371aa8aa-ed49-44eb-b014-71ee8dc0b6b7) You should renew your server certificate in time. ### Your client certificate Your client certificate should be signed by a root CA that is part of the [Mozilla CA Information Report](https://ccadb-public.secure.force.com/mozilla/CAInformationReport). We do not support self-signed client certificates. You should renew your client certificate in time. {% hint style="info" %} After you installed your client certificate, we need to know: * The subject of your client certificate, containing the common name {% endhint %} ### Our server certificate Our server certificate on `rsp.kpnthings.com` is signed by [Sectigo RSA Domain Validation Secure Server CA](https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates). ### Our client certificate We prefer to use our publicly signed client certificate for connections to your system. Our publicly signed client certificate is the same certificate as our server certificate. **If you accept our publicly signed client certificate, we would not need an annual joint certificate renewal process.** If you prefer to have our client certificate signed by your private PKI, this is also an option. When you sign our client certificate yourself, you should take into account: * We will do a renewal of this certificate **every year in March**, which is a manual process through email. * Make sure your certificate is valid for at least one year and two months, giving yourself and us enough time to finish renewal before the old certificate expires. {% hint style="warning" %} We can only install one client certificate at a time for a given connection. This means your server should support accepting multiple KPN client certificates at a time to prevent downtime when renewing certificates. {% endhint %} ## IP addresses The following two IP addresses should be used when configuring IP whitelisting on your side. | To RSP Gateway | From RSP Gateway | | -------------- | ---------------- | | 194.122.128.38 | 194.122.128.33 | ## Notification interface The following two URI's should be shared with KPN if you want to receive notifications. * Destination URI: HTTPS endpoint where to deliver notifications. * Entity Address URI: URI used for identification. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.kpnthings.com/kpn-things/rsp/transparent-api/connecting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.