- Home
- All APIs
- Access Worldpay
- Events webhook
- Certificate check
Certificate check
Use your reverse proxy to verify the client certificate that the Access Worldpay Events service sends to your webhook, against the Worldpay Client Certificate chain provided below.
Copied!-----BEGIN CERTIFICATE----- MIIDDTCCAfWgAwIBAgIQGySI/8Kqy4NKck75a5NGmjANBgkqhkiG9w0BAQsFADAZ MRcwFQYDVQQDEw5VS0RDMS1QQy1QS0kwMTAeFw0xMjA1MjUxMzQ1MzJaFw00MjA1 MjUxMzQ3MzVaMBkxFzAVBgNVBAMTDlVLREMxLVBDLVBLSTAxMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA02EgNMpqByKnsMNMBVYN+Wy+np9Y7SNk+NuF 0JqytNhK2/MsiSi6atdXjkX245TCWzesALTuQEROk2OISMqWd6jDj8S9wkEyRT4b 6TF3bieT3HsTZU4tSXbbYN1oul0K1F3Q7L/d80keWEVN6++nCwfDiOlH6iiryiU4 bgioB3MrYEnd+HufZ5R3tiwxwfmWD0PJPMUGdco2MGDG//K8973Owk/Bz16CekTa BnYXAApNoPPxxebtlvyL46sn5mHEJgPbQlbP0I0wZIo1LORGFMx/o4O7O8W8hKmR P0Be2EVaYal8FbaH74bzDjR5KoL71nLXjaauL09FXks4EmsFyQIDAQABo1EwTzAL BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUgWMaHVvPyeET tX49QUujXgYWy+AwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEB ANG72zI1F4j3rXkoCRT8NV0JPm4XZLxk57GQ/Vvh53eosQeU2dSynu0ji7UY7uq1 fvtV5Sh6KNcbI8Vv9S1MoHDqHRTu+4+Sa+KnlMyCp+ijJlD0P86HFIwR4udwGXaK D6NWXD/SH/6mNYMc89mVyHBhbExdmaSfKLb5fR+qREIQ/ado/+SBqqqZ1iTGwu3N Ke0/gT3Wb8xXb7hbFyc+DyYvlfIF7L/1gdAADP/VxBz+ZkbGfZ6vm7DySW3z9KA6 C2t/aTCleQbDwIdqApBHVHdhZavXl4yLnurJrhVjcjQ7us7RtznIkDefY1vtlkHj rbTzNQcjQx3++QS/f6qB2yA= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEHjCCAwagAwIBAgIKYRMiXgAAAAAAAjANBgkqhkiG9w0BAQsFADAZMRcwFQYD VQQDEw5VS0RDMS1QQy1QS0kwMTAeFw0xMjA2MTExMzUwMjdaFw0zMjA2MTExNDAw MjdaMEoxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEYMBYGCgmSJomT8ixkARkWCHdv cmxkcGF5MRcwFQYDVQQDEw5VS0RDMS1QQy1QS0kwMjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBALaDVvxrP8ALfRZKvJjeLI7zaqhO8qC3StHqVdqeqrWs UOtzpuXMVADAghFaBqSSSqCo5exfuaLZbmUuwU8rps/FEcNbJv213nP4KQER/d2K NMRMKSFxBPWHwkXxNa2hpP0hmPEvzHfX6AzDrnXG1c4x9wJX2nLfsuzeQa9pPHLy AMQlY8k5qbWx8ruMSa5F36tmepdqunsW/JKLjf0YUPtv/+vW9Z2+c3J9O+QCdbBG KsX2VxXI4kZrPnHID2xylBMilauQ6iRMA8MLS1UMzVdVbXniTT4rt3XCOuiSixSp u++LFthDCuVOqTdzZLNgJPWY26Ehzq1eCFo8SENiGCECAwEAAaOCATUwggExMBAG CSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTKicq3YH41iGQhgiIN/z/Z5/WzzTAZ BgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/ BAUwAwEB/zAfBgNVHSMEGDAWgBSBYxodW8/J4RO1fj1BS6NeBhbL4DBEBgNVHR8E PTA7MDmgN6A1hjNmaWxlOi8vVUtEQzEtUEMtUEtJMDEvQ2VydEVucm9sbC9VS0RD MS1QQy1QS0kwMS5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJmaWxl Oi8vVUtEQzEtUEMtUEtJMDEvQ2VydEVucm9sbC9VS0RDMS1QQy1QS0kwMV9VS0RD MS1QQy1QS0kwMS5jcnQwDQYJKoZIhvcNAQELBQADggEBAJr2NfHAd2L2nUW/XIwP 1bo33IrQG75s6DNVll6Kb6iNDVybYeUdpKv8ajPn3Jrt2WcvU3d9vdhzKa8BE773 R1pKSVT7aELXHArRS4gBY1mZ3/4bH/80LHjjHSM+L36jieDSBiKqfyNKcPBoXZj+ +o+EL1Bklh9Fqux6eWUkKRaddWadlCNMAMZCJKmkkyU0mF3HY7ekO11Bo82J1GQ+ XdUXFPSqSapT5QkEoRvl30A0NSn63vwibdyWQT4S4NIfBltuK2eN3UDwZMsimYvI +Bu38MtdiWWwyMRMSnONgn6l2aaD+c0mJ2YDghjH6v9q5vwbZox98HJ9mcjzmHiV Cww= -----END CERTIFICATE----------BEGIN CERTIFICATE----- MIIDDTCCAfWgAwIBAgIQGySI/8Kqy4NKck75a5NGmjANBgkqhkiG9w0BAQsFADAZ MRcwFQYDVQQDEw5VS0RDMS1QQy1QS0kwMTAeFw0xMjA1MjUxMzQ1MzJaFw00MjA1 MjUxMzQ3MzVaMBkxFzAVBgNVBAMTDlVLREMxLVBDLVBLSTAxMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA02EgNMpqByKnsMNMBVYN+Wy+np9Y7SNk+NuF 0JqytNhK2/MsiSi6atdXjkX245TCWzesALTuQEROk2OISMqWd6jDj8S9wkEyRT4b 6TF3bieT3HsTZU4tSXbbYN1oul0K1F3Q7L/d80keWEVN6++nCwfDiOlH6iiryiU4 bgioB3MrYEnd+HufZ5R3tiwxwfmWD0PJPMUGdco2MGDG//K8973Owk/Bz16CekTa BnYXAApNoPPxxebtlvyL46sn5mHEJgPbQlbP0I0wZIo1LORGFMx/o4O7O8W8hKmR P0Be2EVaYal8FbaH74bzDjR5KoL71nLXjaauL09FXks4EmsFyQIDAQABo1EwTzAL BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUgWMaHVvPyeET tX49QUujXgYWy+AwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEB ANG72zI1F4j3rXkoCRT8NV0JPm4XZLxk57GQ/Vvh53eosQeU2dSynu0ji7UY7uq1 fvtV5Sh6KNcbI8Vv9S1MoHDqHRTu+4+Sa+KnlMyCp+ijJlD0P86HFIwR4udwGXaK D6NWXD/SH/6mNYMc89mVyHBhbExdmaSfKLb5fR+qREIQ/ado/+SBqqqZ1iTGwu3N Ke0/gT3Wb8xXb7hbFyc+DyYvlfIF7L/1gdAADP/VxBz+ZkbGfZ6vm7DySW3z9KA6 C2t/aTCleQbDwIdqApBHVHdhZavXl4yLnurJrhVjcjQ7us7RtznIkDefY1vtlkHj rbTzNQcjQx3++QS/f6qB2yA= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEHjCCAwagAwIBAgIKYRMiXgAAAAAAAjANBgkqhkiG9w0BAQsFADAZMRcwFQYD VQQDEw5VS0RDMS1QQy1QS0kwMTAeFw0xMjA2MTExMzUwMjdaFw0zMjA2MTExNDAw MjdaMEoxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEYMBYGCgmSJomT8ixkARkWCHdv cmxkcGF5MRcwFQYDVQQDEw5VS0RDMS1QQy1QS0kwMjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBALaDVvxrP8ALfRZKvJjeLI7zaqhO8qC3StHqVdqeqrWs UOtzpuXMVADAghFaBqSSSqCo5exfuaLZbmUuwU8rps/FEcNbJv213nP4KQER/d2K NMRMKSFxBPWHwkXxNa2hpP0hmPEvzHfX6AzDrnXG1c4x9wJX2nLfsuzeQa9pPHLy AMQlY8k5qbWx8ruMSa5F36tmepdqunsW/JKLjf0YUPtv/+vW9Z2+c3J9O+QCdbBG KsX2VxXI4kZrPnHID2xylBMilauQ6iRMA8MLS1UMzVdVbXniTT4rt3XCOuiSixSp u++LFthDCuVOqTdzZLNgJPWY26Ehzq1eCFo8SENiGCECAwEAAaOCATUwggExMBAG CSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTKicq3YH41iGQhgiIN/z/Z5/WzzTAZ BgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/ BAUwAwEB/zAfBgNVHSMEGDAWgBSBYxodW8/J4RO1fj1BS6NeBhbL4DBEBgNVHR8E PTA7MDmgN6A1hjNmaWxlOi8vVUtEQzEtUEMtUEtJMDEvQ2VydEVucm9sbC9VS0RD MS1QQy1QS0kwMS5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJmaWxl Oi8vVUtEQzEtUEMtUEtJMDEvQ2VydEVucm9sbC9VS0RDMS1QQy1QS0kwMV9VS0RD MS1QQy1QS0kwMS5jcnQwDQYJKoZIhvcNAQELBQADggEBAJr2NfHAd2L2nUW/XIwP 1bo33IrQG75s6DNVll6Kb6iNDVybYeUdpKv8ajPn3Jrt2WcvU3d9vdhzKa8BE773 R1pKSVT7aELXHArRS4gBY1mZ3/4bH/80LHjjHSM+L36jieDSBiKqfyNKcPBoXZj+ +o+EL1Bklh9Fqux6eWUkKRaddWadlCNMAMZCJKmkkyU0mF3HY7ekO11Bo82J1GQ+ XdUXFPSqSapT5QkEoRvl30A0NSn63vwibdyWQT4S4NIfBltuK2eN3UDwZMsimYvI +Bu38MtdiWWwyMRMSnONgn6l2aaD+c0mJ2YDghjH6v9q5vwbZox98HJ9mcjzmHiV Cww= -----END CERTIFICATE------ Configure your webhook URL to request a client certificate during the TLS handshake.
- Validate the certificate we sent against the root you have installed.
Validation & Renewal
Our client certificate is renewed regularly and is in line with best practice. You should never configure your server to expect an individually specific certificate. We recommend that you use the following aspects to validate the certificate:
- The Subject Common Name of the client certificate - this always contains
Payment Status Event Sender.
Note: For the Try environment it returns Payment Status Event Sender (secure-test).
- The root of the signing chain - this has the Common Name
UKDC1-PC-PKI02. The root may occasionally change, and you are notified of any changes.
Copied!
server {
listen 8443 ssl;
# Make sure the certificate is signed by a trusted CA
ssl_certificate trusted_ca_signed_certificate.crt;
ssl_certificate_key private.key;
# Mutual TLS / Specify the allowed CAs for the client cert
# This is where you put Worldpay's root certificate from the documentation
ssl_client_certificate client_cert_cas.pem;
ssl_verify_client on;
ssl_verify_depth 3;
# Mutual TLS / Client Cert Auth - client cert has known subject
if ($ssl_client_s_dn !~ "Payment Status Event Sender") {
return 403;
}
# Mutual TLS / Client Cert Auth - client cert issuer has known subject
if ($ssl_client_i_dn !~ "UKDC1-PC-PKI02") {
return 403;
}
location / {
proxy_pass http://localhost:8080;
}
}server { listen 8443 ssl; # Make sure the certificate is signed by a trusted CA ssl_certificate trusted_ca_signed_certificate.crt; ssl_certificate_key private.key; # Mutual TLS / Specify the allowed CAs for the client cert # This is where you put Worldpay's root certificate from the documentation ssl_client_certificate client_cert_cas.pem; ssl_verify_client on; ssl_verify_depth 3; # Mutual TLS / Client Cert Auth - client cert has known subject if ($ssl_client_s_dn !~ "Payment Status Event Sender") { return 403; } # Mutual TLS / Client Cert Auth - client cert issuer has known subject if ($ssl_client_i_dn !~ "UKDC1-PC-PKI02") { return 403; } location / { proxy_pass http://localhost:8080; } }
