Documentation
Start typing to search…

mTLS: you calling us

Overview

You'll need to:

  1. Generate a private key and Certificate Signing Request (CSR)
  2. Obtain an Organization Validated (OV) SSL certificate from a recognized authority

Prerequisites

  • OpenSSL installed on your system
  • Administrative access to your domain's DNS
  • Company registration documents (for OV validation)

Step 1: Generate Private Key and CSR

1.1 Generate Private Key

# Generate a 4096-bit RSA private key
openssl genrsa -out server.key 4096

# IMPORTANT: Keep this key secure! Never share it or commit it to version control
chmod 600 server.key

1.2 Generate Certificate Signing Request (CSR)

# Generate the CSR using your private key
openssl req -new -key server.key -out server.csr

You'll be prompted for the following information:

Country Name (2 letter code) [AU]: BE
State or Province Name (full name) [Some-State]: Brabant Wallon
Locality Name (eg, city) []: Mont-Saint-Guibert
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Company Legal Name
Organizational Unit Name (eg, section) []: IT Department
Common Name (e.g. server FQDN or YOUR name) []: webhook.yourcompany.com
Email Address []: [email protected]

# Optional fields (press Enter to skip):
A challenge password []:
An optional company name []:

⚠️ Critical Information:

  • Common Name (CN): Must be your exact domain name (e.g., webhook.yourcompany.com)
  • Organization Name: Must be your legal company name (will be verified)
  • Email: Use an email address that can receive validation emails

1.3 Verify Your CSR

# Check CSR contents
openssl req -in server.csr -noout -text

Step 2: Obtain OV SSL Certificate

2.1 Purchase Certificate

  1. Visit a OV certificate reseller (we generally use GlobalSign: GlobalSign SSL Certificates, if you would like to use another one, no problem: just let us know)
  2. Select "Organization Validated (OV) SSL"
  3. Choose certificate duration (1-2 years recommended)
  4. Create an account or log in

2.2 Submit Your CSR

  1. Copy the entire contents of your CSR file: 
    cat server.csr
  2. Paste the CSR submission form (including the BEGIN/END lines)
  3. Complete the order form with company information

2.3 Complete Organization Validation

Normally the certificate authority will verify:

  • Domain ownership (via DNS, email, or HTTP file)
  • Organization legitimacy (business registration, phone verification)

Domain Validation Options:

When using GlobalSign as an example:

Option A - DNS Validation (Recommended)

# Add TXT record to your DNS:
Host: _globalsign-domain-verification
Value: globalsign-verification=XXXXXXXXXXXXX

Option B - HTTP File Validation

# Create verification file at:
http://webhook.yourcompany.com/.well-known/pki-validation/globalsign.txt

Option C - Email Validation

  • GlobalSign sends email to: admin@, webmaster@, or postmaster@ your domain

2.4 Download Certificates

After approval (typically 1-3 business days), you'll receive:

  • server.crt - Your server certificate
  • intermediate.crt - intermediate certificate
  • Installation instructions

Activate your certificate at Digiteal

🚧

Contact support via https://support.digiteal.eu. We will get in touch with you to walk you through this process.

We will require: the full Subject to verify against

Setting up a mTLS client for calling our services

Step 1: Install Certificates

1.1 Create Certificate Bundle

# Combine certificates in correct order
cat server.crt intermediate.crt > server-bundle.crt

# Verify the certificate chain
openssl verify -CAfile intermediate.crt server.crt

1.2 Test Certificate

# Check certificate details
openssl x509 -in server-bundle.crt -text -noout | grep -A2 "Subject:"

# Test certificate and key match
openssl x509 -noout -modulus -in server-bundle.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
# Both commands should return the same MD5 hash

Step 2 (Optional): Example of calling our service

(Coming soon)

Certificate Renewal

⚠️ Important: OV SSL certificates typically expire after 1-2 years.

Set Renewal Reminder

# Check expiration date
openssl x509 -in server-bundle.crt -noout -enddate

# Add to calendar 30 days before expiration

Renewal Process

  1. Generate new CSR (can reuse existing private key)
  2. Submit renewal request to your certificate authority
  3. Complete validation (usually faster for renewals)
  4. Replace certificates and restart server

Updated 22 days ago