证书校验
使用反向代理,对照下方提供的 Worldpay 客户端证书链,验证 Access Worldpay Events 服务发送到 Webhook 的客户端证书。
Copied!-----BEGIN CERTIFICATE----- MIIDDTCCAfWgAwIBAgIQGySI/8Kqy4NKck75a5NGmjANBgkqhkiG9w0BAQsFADAZ MRcwFQYDVQQDEw5VS0RDMS1QQy1QS0kwMTAeFw0xMjA1MjUxMzQ1MzJaFw00MjA1 MjUxMzQ3MzVaMBkxFzAVBgNVBAMTDlVLREMxLVBDLVBLSTAxMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA02EgNMpqByKnsMNMBVYN+Wy+np9Y7SNk+NuF 0JqytNhK2/MsiSi6atdXjkX245TCWzesALTuQEROk2OISMqWd6jDj8S9wkEyRT4b 6TF3bieT3HsTZU4tSXbbYN1oul0K1F3Q7L/d80keWEVN6++nCwfDiOlH6iiryiU4 bgioB3MrYEnd+HufZ5R3tiwxwfmWD0PJPMUGdco2MGDG//K8973Owk/Bz16CekTa BnYXAApNoPPxxebtlvyL46sn5mHEJgPbQlbP0I0wZIo1LORGFMx/o4O7O8W8hKmR P0Be2EVaYal8FbaH74bzDjR5KoL71nLXjaauL09FXks4EmsFyQIDAQABo1EwTzAL BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUgWMaHVvPyeET tX49QUujXgYWy+AwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEB ANG72zI1F4j3rXkoCRT8NV0JPm4XZLxk57GQ/Vvh53eosQeU2dSynu0ji7UY7uq1 fvtV5Sh6KNcbI8Vv9S1MoHDqHRTu+4+Sa+KnlMyCp+ijJlD0P86HFIwR4udwGXaK D6NWXD/SH/6mNYMc89mVyHBhbExdmaSfKLb5fR+qREIQ/ado/+SBqqqZ1iTGwu3N Ke0/gT3Wb8xXb7hbFyc+DyYvlfIF7L/1gdAADP/VxBz+ZkbGfZ6vm7DySW3z9KA6 C2t/aTCleQbDwIdqApBHVHdhZavXl4yLnurJrhVjcjQ7us7RtznIkDefY1vtlkHj rbTzNQcjQx3++QS/f6qB2yA= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEHjCCAwagAwIBAgIKYRMiXgAAAAAAAjANBgkqhkiG9w0BAQsFADAZMRcwFQYD VQQDEw5VS0RDMS1QQy1QS0kwMTAeFw0xMjA2MTExMzUwMjdaFw0zMjA2MTExNDAw MjdaMEoxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEYMBYGCgmSJomT8ixkARkWCHdv cmxkcGF5MRcwFQYDVQQDEw5VS0RDMS1QQy1QS0kwMjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBALaDVvxrP8ALfRZKvJjeLI7zaqhO8qC3StHqVdqeqrWs UOtzpuXMVADAghFaBqSSSqCo5exfuaLZbmUuwU8rps/FEcNbJv213nP4KQER/d2K NMRMKSFxBPWHwkXxNa2hpP0hmPEvzHfX6AzDrnXG1c4x9wJX2nLfsuzeQa9pPHLy AMQlY8k5qbWx8ruMSa5F36tmepdqunsW/JKLjf0YUPtv/+vW9Z2+c3J9O+QCdbBG KsX2VxXI4kZrPnHID2xylBMilauQ6iRMA8MLS1UMzVdVbXniTT4rt3XCOuiSixSp u++LFthDCuVOqTdzZLNgJPWY26Ehzq1eCFo8SENiGCECAwEAAaOCATUwggExMBAG CSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTKicq3YH41iGQhgiIN/z/Z5/WzzTAZ BgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/ BAUwAwEB/zAfBgNVHSMEGDAWgBSBYxodW8/J4RO1fj1BS6NeBhbL4DBEBgNVHR8E PTA7MDmgN6A1hjNmaWxlOi8vVUtEQzEtUEMtUEtJMDEvQ2VydEVucm9sbC9VS0RD MS1QQy1QS0kwMS5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJmaWxl Oi8vVUtEQzEtUEMtUEtJMDEvQ2VydEVucm9sbC9VS0RDMS1QQy1QS0kwMV9VS0RD MS1QQy1QS0kwMS5jcnQwDQYJKoZIhvcNAQELBQADggEBAJr2NfHAd2L2nUW/XIwP 1bo33IrQG75s6DNVll6Kb6iNDVybYeUdpKv8ajPn3Jrt2WcvU3d9vdhzKa8BE773 R1pKSVT7aELXHArRS4gBY1mZ3/4bH/80LHjjHSM+L36jieDSBiKqfyNKcPBoXZj+ +o+EL1Bklh9Fqux6eWUkKRaddWadlCNMAMZCJKmkkyU0mF3HY7ekO11Bo82J1GQ+ XdUXFPSqSapT5QkEoRvl30A0NSn63vwibdyWQT4S4NIfBltuK2eN3UDwZMsimYvI +Bu38MtdiWWwyMRMSnONgn6l2aaD+c0mJ2YDghjH6v9q5vwbZox98HJ9mcjzmHiV Cww= -----END CERTIFICATE----------BEGIN CERTIFICATE----- MIIDDTCCAfWgAwIBAgIQGySI/8Kqy4NKck75a5NGmjANBgkqhkiG9w0BAQsFADAZ MRcwFQYDVQQDEw5VS0RDMS1QQy1QS0kwMTAeFw0xMjA1MjUxMzQ1MzJaFw00MjA1 MjUxMzQ3MzVaMBkxFzAVBgNVBAMTDlVLREMxLVBDLVBLSTAxMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA02EgNMpqByKnsMNMBVYN+Wy+np9Y7SNk+NuF 0JqytNhK2/MsiSi6atdXjkX245TCWzesALTuQEROk2OISMqWd6jDj8S9wkEyRT4b 6TF3bieT3HsTZU4tSXbbYN1oul0K1F3Q7L/d80keWEVN6++nCwfDiOlH6iiryiU4 bgioB3MrYEnd+HufZ5R3tiwxwfmWD0PJPMUGdco2MGDG//K8973Owk/Bz16CekTa BnYXAApNoPPxxebtlvyL46sn5mHEJgPbQlbP0I0wZIo1LORGFMx/o4O7O8W8hKmR P0Be2EVaYal8FbaH74bzDjR5KoL71nLXjaauL09FXks4EmsFyQIDAQABo1EwTzAL BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUgWMaHVvPyeET tX49QUujXgYWy+AwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEB ANG72zI1F4j3rXkoCRT8NV0JPm4XZLxk57GQ/Vvh53eosQeU2dSynu0ji7UY7uq1 fvtV5Sh6KNcbI8Vv9S1MoHDqHRTu+4+Sa+KnlMyCp+ijJlD0P86HFIwR4udwGXaK D6NWXD/SH/6mNYMc89mVyHBhbExdmaSfKLb5fR+qREIQ/ado/+SBqqqZ1iTGwu3N Ke0/gT3Wb8xXb7hbFyc+DyYvlfIF7L/1gdAADP/VxBz+ZkbGfZ6vm7DySW3z9KA6 C2t/aTCleQbDwIdqApBHVHdhZavXl4yLnurJrhVjcjQ7us7RtznIkDefY1vtlkHj rbTzNQcjQx3++QS/f6qB2yA= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEHjCCAwagAwIBAgIKYRMiXgAAAAAAAjANBgkqhkiG9w0BAQsFADAZMRcwFQYD VQQDEw5VS0RDMS1QQy1QS0kwMTAeFw0xMjA2MTExMzUwMjdaFw0zMjA2MTExNDAw MjdaMEoxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEYMBYGCgmSJomT8ixkARkWCHdv cmxkcGF5MRcwFQYDVQQDEw5VS0RDMS1QQy1QS0kwMjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBALaDVvxrP8ALfRZKvJjeLI7zaqhO8qC3StHqVdqeqrWs UOtzpuXMVADAghFaBqSSSqCo5exfuaLZbmUuwU8rps/FEcNbJv213nP4KQER/d2K NMRMKSFxBPWHwkXxNa2hpP0hmPEvzHfX6AzDrnXG1c4x9wJX2nLfsuzeQa9pPHLy AMQlY8k5qbWx8ruMSa5F36tmepdqunsW/JKLjf0YUPtv/+vW9Z2+c3J9O+QCdbBG KsX2VxXI4kZrPnHID2xylBMilauQ6iRMA8MLS1UMzVdVbXniTT4rt3XCOuiSixSp u++LFthDCuVOqTdzZLNgJPWY26Ehzq1eCFo8SENiGCECAwEAAaOCATUwggExMBAG CSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTKicq3YH41iGQhgiIN/z/Z5/WzzTAZ BgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/ BAUwAwEB/zAfBgNVHSMEGDAWgBSBYxodW8/J4RO1fj1BS6NeBhbL4DBEBgNVHR8E PTA7MDmgN6A1hjNmaWxlOi8vVUtEQzEtUEMtUEtJMDEvQ2VydEVucm9sbC9VS0RD MS1QQy1QS0kwMS5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJmaWxl Oi8vVUtEQzEtUEMtUEtJMDEvQ2VydEVucm9sbC9VS0RDMS1QQy1QS0kwMV9VS0RD MS1QQy1QS0kwMS5jcnQwDQYJKoZIhvcNAQELBQADggEBAJr2NfHAd2L2nUW/XIwP 1bo33IrQG75s6DNVll6Kb6iNDVybYeUdpKv8ajPn3Jrt2WcvU3d9vdhzKa8BE773 R1pKSVT7aELXHArRS4gBY1mZ3/4bH/80LHjjHSM+L36jieDSBiKqfyNKcPBoXZj+ +o+EL1Bklh9Fqux6eWUkKRaddWadlCNMAMZCJKmkkyU0mF3HY7ekO11Bo82J1GQ+ XdUXFPSqSapT5QkEoRvl30A0NSn63vwibdyWQT4S4NIfBltuK2eN3UDwZMsimYvI +Bu38MtdiWWwyMRMSnONgn6l2aaD+c0mJ2YDghjH6v9q5vwbZox98HJ9mcjzmHiV Cww= -----END CERTIFICATE------ 配置您的 WebHook URL 以便在 TLS 信号交换期间请求客户端证书。
- 根据您安装的根证书来验证我们发送的证书。
验证与续订
我们的客户证书会定期续订,并且符合最佳实践。您不得将服务器配置为只能使用某一个特定的证书。我们建议您使用以下几个方面来验证证书:
- 客户端证书的主题通用名称 - 这将始终包含
Payment Status Event Sender。
注释:对于 Try 环境,它会返回 Payment Status Event Sender (secure-test)。
- 签名链的根 - 它具有通用名称
UKDC1-PC-PKI02。根目录可能偶尔会发生变化,而任何变化都会通知您。
Copied!
server {
listen 8443 ssl;
# Make sure the certificate is signed by a trusted CA
ssl_certificate trusted_ca_signed_certificate.crt;
ssl_certificate_key private.key;
# Mutual TLS / Specify the allowed CAs for the client cert
# This is where you put Worldpay's root certificate from the documentation
ssl_client_certificate client_cert_cas.pem;
ssl_verify_client on;
ssl_verify_depth 3;
# Mutual TLS / Client Cert Auth - client cert has known subject
if ($ssl_client_s_dn !~ "Payment Status Event Sender") {
return 403;
}
# Mutual TLS / Client Cert Auth - client cert issuer has known subject
if ($ssl_client_i_dn !~ "UKDC1-PC-PKI02") {
return 403;
}
location / {
proxy_pass http://localhost:8080;
}
}server { listen 8443 ssl; # Make sure the certificate is signed by a trusted CA ssl_certificate trusted_ca_signed_certificate.crt; ssl_certificate_key private.key; # Mutual TLS / Specify the allowed CAs for the client cert # This is where you put Worldpay's root certificate from the documentation ssl_client_certificate client_cert_cas.pem; ssl_verify_client on; ssl_verify_depth 3; # Mutual TLS / Client Cert Auth - client cert has known subject if ($ssl_client_s_dn !~ "Payment Status Event Sender") { return 403; } # Mutual TLS / Client Cert Auth - client cert issuer has known subject if ($ssl_client_i_dn !~ "UKDC1-PC-PKI02") { return 403; } location / { proxy_pass http://localhost:8080; } }
