Configure Client TLS for Event Subscription

Client TLS allows you to verify that the event subscription message you receive actually came from Adobe Workfront. To enable this functionality, your server must be configured to request and validate Workfront’s x509 certificate.

Verify Workfront’s client certificate

This procedure assumes your server is configured to accept TLS connections. Workfront does not support self-signed certificates.

In general, these are the steps needed to turn on client authentication for your server:

  1. Download the PEM version of the DigiCert Global Root CA certificate.

  2. Turn on client certificate verification.

    Specify the CA certificate from step 1 as trusted.

  3. Set the verification depth to 2 since our certificate is actually signed by the DigiCert SHA2 Secure Server CA which is an intermediate CA under DigiCert Global Root CA.

  4. Verify the client certificate is actually from Workfront by inspecting its Subject Domain Name.

Examples for Server configuration

NGINX

server {

    listen 443 ssl default_server;
    # ... existing SSL configuration for server authentication ...

    ssl_verify_client on;
    ssl_client_certificate /path/to/DigiCert_Global_Root_CA.pem;
    ssl_verify_depth 2;

        # ... existing location configuration ...
    }
}

For more information, see the NGiNX documentation for ngx_http_ssl_module.

Apache

Listen 443
<VirtualHost *:443>
    # ... existing SSL configuration for server authentication ...

    SSLVerifyClient require
    SSLCACertificateFile "/path/to/DigiCert_Global_Root_CA.pem"
    SSLVerifyDepth 2
</VirtualHost>

<Directory /var/www/>
    Require expr "%{SSL_CLIENT_S_DN_CN} == <>"

    # ... existing directory configuration ...
</Directory>

For more information, see

Certificate to Environment Mapping

WF Environment
Certificate Common Name
Certificate Subject (DN)
Production
*.prod.eventsubscriptions.workfront.com
subject= /C=US/ST=Utah/L=Lehi/O=Workfront, Inc./CN=*.prod.eventsubscriptions.workfront.com
Preview
*.preview.eventsubscriptions.workfront.com
subject= /C=US/ST=Utah/L=Lehi/O=Workfront, Inc./CN=*.preview.eventsubscriptions.workfront.com
Sandbox 1
*.sandbox.eventsubscriptions.workfront.com
subject= /C=US/ST=Utah/L=Lehi/O=Workfront, Inc./CN=*.sandbox.eventsubscriptions.workfront.com
Sandbox 2
*.sandbox.eventsubscriptions.workfront.com
subject= /C=US/ST=Utah/L=Lehi/O=Workfront, Inc./CN=*.sandbox.eventsubscriptions.workfront.com

Download certificates

Click the following links to download the client certificates.

NOTE
You can use the same client certificate for both Sandbox environments.
recommendation-more-help
5f00cc6b-2202-40d6-bcd0-3ee0c2316b43