Verifying Docusign Connect Signature with X509 Certificate

Question

I'm setting up a Docusign Connect listener endpoint to listen in for changes with documents.

I've got the data coming back and being parsed, but now I'm at a point where I want to verify these requests are actually coming from Docusign. Looking at the documentation, I noticed they had an option to sign this information with an X509 certificate.

Personally I've not done much with SSL outside of getting HTTPS setup, so this has had a lot of this is guesswork. I'm assuming that Docusign will sign their requests with the X509 certificate, which is available here (or at least an X509 certificate of some sort).

I took the above certificate and poked around at it. It appears as though it's in DER format (I checked that here). I've double-checked, and it correctly converts to the PEM format (-----BEGIN CERTIFICATE-----) and I can parse it with X509 libraries / OpenSSL.

How would I go about checking the validity of these requests that will be hitting the server? There are some other posts about this on StackOverflow, but most of them seemed focused on signing a request, or isn't very clear how to set it up. Sorry if I'm unclear, this question isn't worded very well.

Answer 1

One way people do this is to configure Client Certificate Authentication on their web server. That way it is done before your app is handling the request. This type of method is always available on the connection. For example, Apache is able to do this and IIS should be able to do it.

The option you refer to is for signing the body of a SOAP request given that you have also enabled SOAP. Why would you use this if the TLS connection already allows you to authenticate the client? This is for when the connection is received by some sort of proxy which then forwards the SOAP body onto another server/application for processing. Signing the SOAP body allows that app to properly validate that it came from DocuSign even though it doesn't have access to the TLS connection information.