How to use mutual TLS
Rabobank protects its APIs with an extra layer of security. Clients or apps that want to interact with our mutual TLS enabled APIs should have an X.509 certificate. The traffic is encrypted over TLS.
To interact with mutual TLS protected APIs, you should follow the below listed steps:
- Get an X.509 certificate.
- Register the certificate on the Rabobank Developer Portal.
- Configure your client software to use the certificate during the TLS handshake.
Step 1: Get an X-509 certificate
For PSD2 APIs, you are required to use a Qualified Certificate for Website Authentication (QWAC certificate). You can use a certificate issued by a qualified trust service provider of your choice.
For the sandbox environment, you can use the example certificate. See: Signing requests for PSD2 APIs.
Step 2: Register the certificate on the Rabobank Developer Portal
Info: Register your app before registering the TLS certificate. You can only register one TLS certificate per app.
To register the certificate:
- Log into the Rabobank developer portal.
- Click My Apps.
- Select the app that should make the TLS protected requests.
- Click Edit.
- Click on the TLS Certificate field and paste your TLS client certificate. This certificate must be in PEM format. For more information, see RFC7468.
- Click Submit.
Step 3: Configure your client software to use the certificate during the TLS handshake
Note: This step assumes you have already subscribed your app to the product containing the API that requires an X.509 client certificate.
Before your application can call the API, you should configure your software to use the private key and certificate.
You can test the configuration as shown in the example below:
|RABOBANK_ENDPOINT_URL||The endpoint of the API you want to call|
|CLIENT_ID||The client ID of your application|
|PATH_TO_KEY_FILE||Path to the key file on your system that belongs to your certificate|
|PATH_TO_CERT_FILE||Path of your client certificate on your system|
curl 'RABOBANK_ENDPOINT_URL' \ --header 'x-ibm-client-id: CLIENT_ID' --key PATH_TO_KEY_FILE --cert PATH_TO_CERT_FILE
Server Name Indication (SNI) is an extension for the TLS protocol to indicate a hostname in the TLS handshake (source wiki).
Transport Layer Security Server Name Indication (TLS SNI) allows clients to include the name of the host they are trying to contact (the "server name") in a request, which allows the server to select and respond with a proper certificate.
To make the TLS connection with the provided hosts secure, all existing (migrating) and/or new customer(s) are required to enable SNI in their client software before interacting with the following Rabobank hostnames:
Note: A TPP not using SNI is most likely to get connection related error messages, for example, 500 internal server error.