We are developing a payment app and we understand the below requirements. However where does the payment app actually upload the / provide the signed SSL?
We have reviewed https://shopify.dev/apps/payments#mtls-configuration, however this does not address where / how the certificate is to be uploaded? Any help would be great!
Because mTLS is mutual, the payments app also needs to provide a certificate that Shopify will validate. For this certificate, you need to use a Trusted CA Signed SSL Certificate, and not Shopify’s self-signed CA.
It took me a lot of time trying to do this at code level but could not implement it.
At the end, I was able to configure this at server level using Apache. Below is the configuration.
Implement a set of Apache 2.4 directives, shown below, that require the client to support mutual TLS. They can be applied to specific directories or to all incoming connections. See the Apache2.4 SSL documentation for more information.
Your web server is now configured to use mutual TLS to require the client (Shopify) to provide its certificate to identify itself. The next step is to use the client’s identity for access control. This example for Apache 2.4 is applied to a specific directory.
<Directory "/payments">SSLOptions +StdEnvVars</Directory>
The above example sets the SSL library to create environment variables with information from the client’s certificate.
I hope this helps.
@Sushant you use the certificate in https://shopify.dev/apps/payments#shopifys-self-signed-ca
as /etc/apache2/conf/shopify_root_cert.pem ?
Please if you know how to set this configuration on NGINX, let me know.