I have a general question about setting up a Web Services integration using MTLS to hit an on-prem hosted web service. I have reviewed MTLS support for data actions - Genesys Cloud Resource Center, but seem to be missing something.
During the MTLS handshake process, doesn't the on-prem web service present its certificate to Genesys Cloud to verify? I am not understanding what CA's Genesys Cloud supports for this step in verification.
For reference, I am running under the assumption the below steps are the high level steps during the MTLS handshake process:
- ClientHello: (Genesys Cloud / data action sends a ClientHello to on-prem web service)
- ServerHello (On-prem web service responses with ServerHello and sends its server certificate)
- Server Certificate Verification: Genesys cloud verifies the servers certificate
- Client Certificate Request: The on-prem web service requests the clients mTLS certificate
- Client Certificate: Genesys cloud sends its client certificate (which will be signed by the root CA mentioned in the support article)
- Client Certificate Verification: The on-prem web services verifies the Genesys Cloud certificate (because the on-prem web service has imported the certificate mentioned in the support article and established a trust relationship with the Genesys Root CA)
This being said, I am stuck on step 3. If Cloud is validating the certificate sent by the web service - what CAs is Cloud using to verify against? Isn't the certificate being presented one that the customer is providing, or self-signed?
Thanks for any guidance.