Configure Client TLS for Event Subscription
Client TLS allows you to verify that the event subscription message you receive actually came from Adobe Workfront. To enable this functionality, your server must be configured to request and validate Workfront’s x509 certificate.
Verify Workfront’s client certificate
This procedure assumes your server is configured to accept TLS connections. Workfront does not support self-signed certificates.
In general, these are the steps needed to turn on client authentication for your server:
-
Download the PEM version of the DigiCert Global Root CA certificate.
-
Turn on client certificate verification.
Specify the CA certificate from step 1 as trusted.
-
Set the verification depth to 2 since our certificate is actually signed by the DigiCert SHA2 Secure Server CA which is an intermediate CA under DigiCert Global Root CA.
-
Verify the client certificate is actually from Workfront by inspecting its Subject Domain Name.
Examples for Server configuration
NGINX
server {
listen 443 ssl default_server;
# ... existing SSL configuration for server authentication ...
ssl_verify_client on;
ssl_client_certificate /path/to/DigiCert_Global_Root_CA.pem;
ssl_verify_depth 2;
# ... existing location configuration ...
}
}
For more information, see the NGiNX documentation for ngx_http_ssl_module.
Apache
Listen 443
<VirtualHost *:443>
# ... existing SSL configuration for server authentication ...
SSLVerifyClient require
SSLCACertificateFile "/path/to/DigiCert_Global_Root_CA.pem"
SSLVerifyDepth 2
</VirtualHost>
<Directory /var/www/>
Require expr "%{SSL_CLIENT_S_DN_CN} == <>"
# ... existing directory configuration ...
</Directory>
For more information, see
Certificate to Environment Mapping
Download certificates
Click the following links to download the client certificates.