How can I download the service certificates?

francesco.pizzolato

Dear Support Team

I need to add the service certificates to the truststore of my application server as the server will be able to access just to your service as we have some policy constraints.

Normally we use openssl or directly the browser but with your service we are not able to achieve the result because we receive a HTTP 401 without any ssl handshake.

Could you please advice me on how to download the certificates? or may be you can provide them via email?

Thanks and Kind regards

Irfan.Khan

@francesco.pizzolato

We can’t
recommend this installing of the certificates as we may update or change
certificates without customer notification and with them trusting our current
certificate only, your API integration would break.

It seems
when the user just points at the browser, you get a connection reset, which is
interesting and rather un-useful for getting the cert.

The OpenSSL
command appears to work. I would suggest AVALOQ executes the command
their end to validate the certificate rather than we supplying it via insecure
means.

Again
though, this is not supported, and it will break when certificates are changed.

Irfan.Khan

@francesco.pizzolato

SSL certificates compatible with TLSv1.2 should be perfect to connect successfully to the WC1 API.

Request you to check the below link for more information:

https://www.ssl2buy.com/wiki/ssltls-deployment-best-practices

Kindly note we do not provide SSL certificates, but expect the clients to get it from a certificate authority. For example: digi cert.

Av84

Hi @Irfan.Khan, Speaking with Francesco, I can see that they are unable to connect to our API still once their application is in the server due to the cert issue.

I think they already procured their SSL certs from a CA, however the handshake is not happening. Do we know why that is the case? Anything to do with our root certificate validation or something?

Irfan.Khan

@francesco.pizzolato @Av84

Request you to provide me the complete error message that you are getting when connecting to the WC1 API.

Also, please provide me the request headers, response headers, date header value (in GMT) and the response code of the failed request so that I can cross check.

Request you to provide the certificate details installed too.

francesco.pizzolato

Hi,

as AV84 said, we already have the OUR ceritficates, but we need to have a copy of YOUR certificates.

That is the case because we use a trustore

A truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties.

We will not be able to connect to you if we don't have your certificates because the connectivity is established by our server only if your certificates are present in our truststore.

Normally we download the certificates directly form the website :

but being that your HTTPS server does not allow connection via browser we need them directly from you.

I hope this explains.

francesco.pizzolato

Hi we are connecting via Postman please sse my other comment

Irfan.Khan

@francesco.pizzolato

Thank you for the explanation.

Please allow me some time to get back with updates on this.

francesco.pizzolato

Hi,

as AV84 said, we already have the OUR ceritficates, but we need to have a copy of YOUR certificates.

That is the case because we use a trustore

A truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties.

We will not be able to connect to you if we don't have your certificates because the connectivity is established by our server only if your certificates are present in our truststore.

Normally we download the certificates directly form the website :

but being that your HTTPS server does not allow connection via browser we need them directly from you.

I hope this explains.

francesco.pizzolato

We know the error message, and we know how to solve it. we just need your certificates...

Av84

Hi @Irfan.Khan,

Based on what is mentioned by Franceso, can you please let me know what we are missing here?

Kind Regards,

-- Aravind

Irfan.Khan

@Av84 @francesco.pizzolato

Kindly note that our certificates are signed by public CAs so if the client have procured their certificates from a CA and they trust our certificates so you should be able to connect to our API server without a problem.

As we have public keys, our certificates should be automatically stored in your Truststore as soon as you connect with your endpoint.

Also, I am receiving such a request for the first time so I am quite curious about the implementation that you have done.

Would you give me more details on the certificates you have acquired, the version of certificate and the screenshot of the error so that I can understand this better and assist you accordingly.

Also, can you please elaborate the kind of integration you are doing to connect with the API server.

francesco.pizzolato

Hi,

we don't add automatically the certificates to the truststore. Because we use a prductive environment and in a productive environment we would not be able to understand of there is a person in between. It is for security reasons.

we download those certificates. can you please check if these are the right ones?

certificates.txt

Irfan.Khan

@francesco.pizzolato

Please allow me some time so that I can get back with updates on this.