KPN RSP Gateway
↩ All Documentation
  • About Remote SIM Provisioning
  • Concepts of RSP
  • KPN RSP Gateway APIs
  • Transparent API
    • Introduction to Transparent API
    • Connecting to Transparent APIs
    • mTLS
    • Using profiles from other vendors
    • ES2 interface description
    • ES4 interface description
  • Extended API
    • Introduction to Extended API
  • Help
    • Support
    • Release notes
Powered by GitBook
On this page
  • SSL/TLS Certificates
  • Your server certificate
  • Your client certificate
  • Our server certificate
  • Our client certificate
  • IP addresses
  • Notification interface

Was this helpful?

  1. Transparent API

Connecting to Transparent APIs

PreviousIntroduction to Transparent APINextmTLS

Last updated 6 months ago

Was this helpful?

SSL/TLS Certificates

There are four certificates in play when connecting to the Transparent APIs of the KPN RSP Gateway.

Your server certificate

Your server should expose a properly configured server certificate on the endpoints where we post Callbacks or Notifications to your server.

  • Your server certificate should be signed by a root CA that is trusted in the default Java Trust Store.

  • It should be an OV certificate.

You should renew your server certificate in time.

Your client certificate

You should renew your client certificate in time.

After you installed your client certificate, we need to know:

  • The subject of your client certificate, containing the common name

Our server certificate

Our client certificate

We prefer to use our publicly signed client certificate for connections to your system. Our publicly signed client certificate is the same certificate as our server certificate. If you accept our publicly signed client certificate, we would not need an annual joint certificate renewal process.

If you prefer to have our client certificate signed by your private PKI, this is also an option. When you sign our client certificate yourself, you should take into account:

  • We will do a renewal of this certificate every year in March, which is a manual process through email.

  • Make sure your certificate is valid for at least one year and two months, giving yourself and us enough time to finish renewal before the old certificate expires.

We can only install one client certificate at a time for a given connection. This means your server should support accepting multiple KPN client certificates at a time to prevent downtime when renewing certificates.

IP addresses

The following two IP addresses should be used when configuring IP whitelisting on your side.

To RSP Gateway

From RSP Gateway

194.122.128.38

194.122.128.33

Notification interface

The following two URI's should be shared with KPN if you want to receive notifications.

  • Destination URI: HTTPS endpoint where to deliver notifications.

  • Entity Address URI: URI used for identification.

We do not support self-signed server certificates. You can use the to check if your certificate is trusted by the Java trust store:

The result of the SSL Server Test indicating the certificate is trusted by Java.

Your client certificate should be signed by a root CA that is part of the . We do not support self-signed client certificates.

Our server certificate on rsp.kpnthings.com is signed by .

SSL Server Test from Qualys
Mozilla CA Information Report
Sectigo RSA Domain Validation Secure Server CA