JasonGirard | 2021-01-28 19:27:57 UTC | #1
Currently implementing an API endpoint for our telephony team to perform data access using a Web Services Data Action. While implementing mTLS certificate validation, I've encountered difficulty in accessing the CRL. The provided CA certificate for US East does not include an X509v3 CRL Distribution Points element. A URI for the CRL is provided on https://help.mypurecloud.com/articles/mtls-support-for-data-actions/ (East US: crl.mypurecloud.com), but requests to this received a AccessDenied response. Is any guidance available for accessing the CRL in support of certificate validation?
Jason_Mathison | 2021-01-28 20:00:02 UTC | #2
Hi fellow Jason!
The required CRL information is included in the mTLS certificate that a Data Action request will provide during mTLS/TLS negotiation. At that point your endpoint can do the CRL due diligence. The specific endpoint that you need to access is based on the ID of the certificate, and can change at any time when the client certificate is renewed. While the crl.mypurecloud.com location does not allow a directory listing, it will allow you to download a file if it exists.
Is your endpoint indicating that CRL lookup is failing?
--Jason
JasonGirard | 2021-01-28 20:26:18 UTC | #3
Jason, Thank you for your response and your time. There was a miscommunication on this end that the regional certs were not top-level and were subject to validation via the provided CRL endpoints. This thread may be closed as convenient.
Jason_Mathison | 2021-01-28 20:33:44 UTC | #4
Jason, No worries, I am glad you figured out what is going on. If there is anything we could improve to make it easier to understand let me know, I want the features that I worked on to be easy to use :slight_smile:
--Jason
system | 2021-02-28 20:33:45 UTC | #5
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 9837