How to use mutual TLS
Some Rabobank APIs are protected with an extra layer of security. Clients (apps) that call these APIs are authenticated in compliance to a standard known as an X.509 certificate. They use mutual TLS (mTLS) to encrypt the traffic.
If an API requires a registered X.509 client certificate, this will be stated in the API reference documentation in the Security section.
If your application wants to use these mTLS protected APIs, you must complete these extra steps:
- Getting an X.509 certificate.
- Register the certificate on the Rabobank Developer Portal.
- Configure your client software to use the certificate during the TLS handshake.
Step 1: Getting an X-509 certificate
- For PSD2 APIs, you must use a Qualified Certificate for Website Authentication (QWAC certificate). Use a certificate issued by the Qualified Trust Service Provider of your choice.
- For Premium APIs please check: Which certificates do we support.
- Use our example certificate in the sandbox environment. See: Signing requests for PSD2 APIs.
Step 2: Register the certificate on the Rabobank Developer Portal
- You must register your app before you can register the certificate.
- You can only register one TLS certificate per app.
To register the certificate:
- Log into the Rabobank developer portal.
- Click My Apps.
- Select the app that will make the TLS protected requests.
- Click Edit.
- Click on the TLS Certificate field and paste your TLS client certificate. This certificate must be in PEM format. For more information, see RFC7468.
- Click Submit.
Step 3: Configure your client software to use the certificate during the TLS handshake
This step assumes you have already subscribed your app to the product containing the API that requires an X.509 client certificate.
When your application calls an API that requires an X.509 client certificate, you must configure your software so it can use the private key and certificate.
curl \ --header "x-ibm-client-id:REPLACE_WITH_CLIENT_ID" \ --key REPLACE_WITH_PATH_TO_KEY_FILE \ --cert REPLACE_WITH_PATH_TO_CERT \ --verbose \ --insecure \ --location \ --cookie curlcookies REPLACE_WITH_API_URL
Explanation of the options:
|--header||Add header to the request|
|--key||Absolute path to the key file|
|--cert||Absolute path to certificate file|
|--insecure||Ignore server certificate (you probably don't need this option)|
|--location||Follow redirectsfollow redirects|
|--cookie||Use a cookiejar|