KPN RSP Gateway
↩ All Documentation
Search…
About Remote SIM Provisioning
Concepts of RSP
KPN RSP Gateway APIs
Transparent API
Introduction to Transparent API
Connecting to Transparent APIs
mTLS
ES2 interface description
ES4 interface description
Extended API
Introduction to Extended API
Help
Support
Release notes
Powered By GitBook
mTLS
Explaining mutual TLS authentication.
Mutual TLS authentication (also called Mutual SSL authentication, mTLS authentication, or mTLS for short) is a method for clients to authenticate themselves on accessing a server. It is an authentication method implemented on the transport layer. That makes mTLS often a new paradigm for people and sometimes hard to understand. This page should provide some clarity.
In regular TLS communication, only the server presents a certificate in order for the client to verify the identify of the server. In mTLS, the client performing the call to the server presents a certificate as well, enabling the server to verify the identify of the client as well.
To summarize the setup of mTLS compared to regular TLS communication:
  • The entity performing the call is the client and should present a client certificate.
  • The entity receiving the call is the server and should verify the client certificate.
An Introduction to Mutual SSL Authentication
CodeProject

KPN certificates

KPNs client certificate and server certificate are the same, and signed:
  • Intermediate: Sectigo RSA Domain Validation Secure Server CA
  • Root: Sectigo

How it works

1
curl -v https://rsp.kpnthings.com/esim-messaging/3/ES4/ES4SmSrService --cert mycert.crt –key mykey.key --CAcert cacert.crt --data 'test'
2
3
4
* Trying 145.128.79.83...
5
* TCP_NODELAY set
6
* Connected to rsp.kpnthings.com (145.128.79.83) port 443 (#0)
7
* ALPN, offering h2
8
* ALPN, offering http/1.1
9
* successfully set certificate verify locations:
10
* CAfile: cacert.crt
11
CApath: none
12
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
13
* TLSv1.2 (IN), TLS handshake, Server hello (2):
14
* TLSv1.2 (IN), TLS handshake, Certificate (11):
15
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
16
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
17
* TLSv1.2 (IN), TLS handshake, Server finished (14):
18
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
19
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
20
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
21
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
22
* TLSv1.2 (OUT), TLS handshake, Finished (20):
23
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
24
* TLSv1.2 (IN), TLS handshake, Finished (20):
25
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
26
* ALPN, server accepted to use h2
27
* Server certificate:
28
* subject: CN=rsp.kpnthings.com
29
* start date: Sep 8 00:00:00 2020 GMT
30
* expire date: Sep 9 23:59:59 2021 GMT
31
* subjectAltName: host "rsp.kpnthings.com" matched cert's "rsp.kpnthings.com"
32
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
33
* SSL certificate verify ok.
34
* Using HTTP2, server supports multi-use
35
* Connection state changed (HTTP/2 confirmed)
36
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
37
* Using Stream ID: 1 (easy handle 0x7fdb4700aa00)
38
> POST /esim-messaging/3/ES4/ES4SmSrService HTTP/2
39
> Host: rsp.kpnthings.com
40
> User-Agent: curl/7.64.1
41
> Accept: */*
42
> Content-Length: 4
43
> Content-Type: application/x-www-form-urlencoded
44
Copied!
Transparent API - Previous
Connecting to Transparent APIs
Next - Transparent API
ES2 interface description
Last modified 1yr ago
Copy link
Contents
KPN certificates
How it works