mtls verify always failed

Shopify Apps

Topic summary

Issue: mTLS (mutual TLS) verification to a Shopify payments app endpoint on an AWS Application Load Balancer consistently fails when using Shopify’s client certificate, while a self-generated client certificate succeeds.

Context:

  • ALB is configured for mTLS. The poster imported the chain certificate from Shopify’s payments documentation into the trust store (saved as ca.pem).
  • Verification fails specifically with Shopify’s certificate; local test client cert works.

Questions/Requests:

  • What exact client certificate chain does Shopify present, and how should it be trusted/validated on the ALB?
  • What does Shopify send to the app during the handshake/request? Is it equivalent to a curl call using a client key/cert (e.g., curl -i -H “Content-type: application/json” --key shopify.key --cert shopify.crt {payment session URL})?
  • Guidance requested on correct CA/chain configuration or expected client cert details.

Status: No resolution yet; awaiting clarification on Shopify’s client certificate chain and request behavior.

Summarized with AI on December 24. AI used: gpt-5.
1

I have setup mtls on aws load balancer, but when verified certificate from shopify it always failed.
i have created my own certificate to test and it works. but when using shopify certificate it always failed.

i use chain certificate from this documentation https://shopify.dev/docs/apps/build/payments/considerations
i copy the certificate to file ca.pem and added it on trust store.

what should i do?

what actually shopfy send to the app? is it something like this?
curl -i -H “Content-type: application/json” --key shopify.key --cert shopify.crt {my shopify paymentapp extension - payment session url}

Thank you.