Welcome to our new developer portal! Use the "Ask" button to chat with our AI Agent.
Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

TLS 相互認証を設定する

All D1 APIs require TLS mutual authentication. This applies to inbound and outbound connectivity.

Set up TLS mutual authentication before you configure any D1 service. Each D1 environment uses a single endpoint for all D1 APIs.

PreProd and Production are isolated from each other. Set up TLS mutual authentication separately for each environment.

TLS mutual authentication is configured per issuer identifier. Your Thales Delivery Team provides the issuer identifier during D1 Onboarding.

TLS mutual authentication from the issuer backend to the D1 backend.

Once TLS mutual authentication is established, you can use it for all D1 APIs. The target paths may differ by D1 service.

Requirements

  1. Mutual Authentication

  2. TLS 1.2, 1.3

  3. Over the internet (no IP allowlisting)

  4. D1 server CA: signed by AWS CA https://www.amazontrust.com/repository/

  5. Issuer client certificate: signed by the Thales CA

Issuer client certificate

To call the D1 API, your issuer backend must present a client certificate signed by the Thales CA. Send a Certificate Signing Request (CSR) to the Thales Delivery Team for signing.

Requirements

  1. Algorithm: RSA encryption with 4096-bit or ECDSA P-256 keys and SHA256 hashing.

  2. Common Name (CN): the format and value are enforced by Thales. Use the pattern in step 2 below.

Example CSR generation

Repeat this procedure for each environment you target: PreProd and Production.

  1. Generate a new key pair for your CSR either RSA or ECDSA.

You can create an RSA 4096 key pair with the following OpenSSL command:

You can create an ECDSA P-256 key pair with the following OpenSSL commands:

  1. Details for mTLS client certificate.

where:

  • country is the issuer country.

  • state is the issuer state or region.

  • locality is the issuer locality (city).

  • Issuer Organization is your issuer organization name.

  • Issuer Organization Unit is your issuer organization unit.

  • CN is the Common Name.

  • issuerId is the issuer identifier provided by the Thales Delivery Team.

  • env is the target environment for this certificate. Use PPR for PreProd and PRD for Production.

  • ECDSA vs RSA in CN depends on key type.

DNS requirements

Do not configure, hardcode, or cache D1 IP addresses beyond the DNS TTL.

The issuer backend must always resolve the D1 domain name and its subdomains using DNS. D1 does not provide long-term static IP addresses.

TLS mutual authentication from the D1 backend to the issuer backend.

Requirements

  1. Mutual Authentication

  2. TLS 1.2, 1.3

  3. Your server must listen on port 443 (8443 is supported, but 443 is preferred)

  4. Over the internet (no IP whitelisting)

  5. Trust the Thales Client CA to authenticate the client certificate presented by D1 (shared during D1 Onboarding)

  6. Provide your server CA chain during D1 Onboarding so D1 can trust your server certificate

Thales expects a TLS certificate issued by a CA recognized by Mozilla. If the endpoint you expose to the D1 backend relies on a private CA, or does not include the full CA chain in its TLS configuration, provide a PEM-formatted trust store to the Thales Delivery Team.

Notify Thales in advance before you change any CA.

Trust only the Thales Client CA. Do not pin the Thales client certificate.

D1 may rotate its client certificate at any time before expiry without prior notice.

FAQ

Can I use an RSA 2048 client certificate?

No. D1 requires RSA 4096 or ECDSA P-256.

Can I connect to the D1 backend without TLS mutual authentication?

No. TLS mutual authentication is required for all D1 APIs.

Is VPN supported for inbound or outbound connectivity?

No. Use TLS mutual authentication over the public internet for both directions.

For inbound calls, also use OAuth JWT Bearer credentials to authorize access.

Is OAuth supported from the D1 backend to the issuer backend?

Yes, OAuth is supported in both communication way.

What is the validity period of the issuer client certificate?

The issuer client certificate for D1 connectivity is signed by Thales Business PKI. It is valid for 5 years.

How do I renew the issuer client certificate?

Generate a new CSR that follows the Distinguished Name (DN) policy on this page. Send the CSR to the Thales Delivery Team for signing.

前へAPI 変更ポリシー次へOAuth2.0 アクセストークンを取得する

役に立ちましたか?