Certificate check

  1. Use your reverse proxy to verify your client certificate against our Worldpay root certificate.

    Copied!
    -----BEGIN CERTIFICATE-----
    MIIDDTCCAfWgAwIBAgIQGySI/8Kqy4NKck75a5NGmjANBgkqhkiG9w0BAQsFADAZ
    MRcwFQYDVQQDEw5VS0RDMS1QQy1QS0kwMTAeFw0xMjA1MjUxMzQ1MzJaFw00MjA1
    MjUxMzQ3MzVaMBkxFzAVBgNVBAMTDlVLREMxLVBDLVBLSTAxMIIBIjANBgkqhkiG
    9w0BAQEFAAOCAQ8AMIIBCgKCAQEA02EgNMpqByKnsMNMBVYN+Wy+np9Y7SNk+NuF
    0JqytNhK2/MsiSi6atdXjkX245TCWzesALTuQEROk2OISMqWd6jDj8S9wkEyRT4b
    6TF3bieT3HsTZU4tSXbbYN1oul0K1F3Q7L/d80keWEVN6++nCwfDiOlH6iiryiU4
    bgioB3MrYEnd+HufZ5R3tiwxwfmWD0PJPMUGdco2MGDG//K8973Owk/Bz16CekTa
    BnYXAApNoPPxxebtlvyL46sn5mHEJgPbQlbP0I0wZIo1LORGFMx/o4O7O8W8hKmR
    P0Be2EVaYal8FbaH74bzDjR5KoL71nLXjaauL09FXks4EmsFyQIDAQABo1EwTzAL
    BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUgWMaHVvPyeET
    tX49QUujXgYWy+AwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEB
    ANG72zI1F4j3rXkoCRT8NV0JPm4XZLxk57GQ/Vvh53eosQeU2dSynu0ji7UY7uq1
    fvtV5Sh6KNcbI8Vv9S1MoHDqHRTu+4+Sa+KnlMyCp+ijJlD0P86HFIwR4udwGXaK
    D6NWXD/SH/6mNYMc89mVyHBhbExdmaSfKLb5fR+qREIQ/ado/+SBqqqZ1iTGwu3N
    Ke0/gT3Wb8xXb7hbFyc+DyYvlfIF7L/1gdAADP/VxBz+ZkbGfZ6vm7DySW3z9KA6
    C2t/aTCleQbDwIdqApBHVHdhZavXl4yLnurJrhVjcjQ7us7RtznIkDefY1vtlkHj
    rbTzNQcjQx3++QS/f6qB2yA=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIEHjCCAwagAwIBAgIKYRMiXgAAAAAAAjANBgkqhkiG9w0BAQsFADAZMRcwFQYD
    VQQDEw5VS0RDMS1QQy1QS0kwMTAeFw0xMjA2MTExMzUwMjdaFw0zMjA2MTExNDAw
    MjdaMEoxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEYMBYGCgmSJomT8ixkARkWCHdv
    cmxkcGF5MRcwFQYDVQQDEw5VS0RDMS1QQy1QS0kwMjCCASIwDQYJKoZIhvcNAQEB
    BQADggEPADCCAQoCggEBALaDVvxrP8ALfRZKvJjeLI7zaqhO8qC3StHqVdqeqrWs
    UOtzpuXMVADAghFaBqSSSqCo5exfuaLZbmUuwU8rps/FEcNbJv213nP4KQER/d2K
    NMRMKSFxBPWHwkXxNa2hpP0hmPEvzHfX6AzDrnXG1c4x9wJX2nLfsuzeQa9pPHLy
    AMQlY8k5qbWx8ruMSa5F36tmepdqunsW/JKLjf0YUPtv/+vW9Z2+c3J9O+QCdbBG
    KsX2VxXI4kZrPnHID2xylBMilauQ6iRMA8MLS1UMzVdVbXniTT4rt3XCOuiSixSp
    u++LFthDCuVOqTdzZLNgJPWY26Ehzq1eCFo8SENiGCECAwEAAaOCATUwggExMBAG
    CSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTKicq3YH41iGQhgiIN/z/Z5/WzzTAZ
    BgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/
    BAUwAwEB/zAfBgNVHSMEGDAWgBSBYxodW8/J4RO1fj1BS6NeBhbL4DBEBgNVHR8E
    PTA7MDmgN6A1hjNmaWxlOi8vVUtEQzEtUEMtUEtJMDEvQ2VydEVucm9sbC9VS0RD
    MS1QQy1QS0kwMS5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJmaWxl
    Oi8vVUtEQzEtUEMtUEtJMDEvQ2VydEVucm9sbC9VS0RDMS1QQy1QS0kwMV9VS0RD
    MS1QQy1QS0kwMS5jcnQwDQYJKoZIhvcNAQELBQADggEBAJr2NfHAd2L2nUW/XIwP
    1bo33IrQG75s6DNVll6Kb6iNDVybYeUdpKv8ajPn3Jrt2WcvU3d9vdhzKa8BE773
    R1pKSVT7aELXHArRS4gBY1mZ3/4bH/80LHjjHSM+L36jieDSBiKqfyNKcPBoXZj+
    +o+EL1Bklh9Fqux6eWUkKRaddWadlCNMAMZCJKmkkyU0mF3HY7ekO11Bo82J1GQ+
    XdUXFPSqSapT5QkEoRvl30A0NSn63vwibdyWQT4S4NIfBltuK2eN3UDwZMsimYvI
    +Bu38MtdiWWwyMRMSnONgn6l2aaD+c0mJ2YDghjH6v9q5vwbZox98HJ9mcjzmHiV
    Cww=
    -----END CERTIFICATE-----
  2. Configure your webhook URL to request a client certificate during the TLS handshake.
  3. Validate the certificate we sent against the root you have installed.

Validation & Renewal

Our client certificate is renewed regularly and is in line with best practice. You should never configure your server to expect an individually specific certificate. We recommend that you use the following aspects to validate the certificate:

  • The Subject Common Name of the client certificate - this always contains Payment Status Event Sender.

Note: For the Try environment it returns Payment Status Event Sender (secure-test).

  • The root of the signing chain - this has the Common Name UKDC1-PC-PKI02. The root may occasionally change, and you are notified of any changes.
Copied!
server {
    listen 8443 ssl;

    # Make sure the certificate is signed by a trusted CA
    ssl_certificate     trusted_ca_signed_certificate.crt;
    ssl_certificate_key private.key;

    # Mutual TLS / Specify the allowed CAs for the client cert
    # This is where you put Worldpay's root certificate from the documentation
    ssl_client_certificate client_cert_cas.pem;
    ssl_verify_client on;
    ssl_verify_depth 3;

    # Mutual TLS / Client Cert Auth - client cert has known subject
    if ($ssl_client_s_dn !~ "Payment Status Event Sender") {
      return 403;
    }

    # Mutual TLS / Client Cert Auth - client cert issuer has known subject
    if ($ssl_client_i_dn !~ "UKDC1-PC-PKI02") {
      return 403;
    }

    location / {
        proxy_pass http://localhost:8080;
    }
}