top of page
  • Writer's pictureAlex James

Why and How to Install the Complete SSL Certificate Chain on Your Boomi Shared Web Server

APIs: The Core of Modern Integration Solutions


APIs are an integral part of integration. API’s can be used by both internal and external applications. External API’s are used by applications outside of the organization and is public.

Boomi Shared web server enables integration processes to be exposed as API for client applications.


Securing APIs with HTTPS


External APIs are secured by HTTPS using SSL certificates. When the client application sends a request to Boomi API endpoint, the Boomi shared webserver responds by sending the SSL certificate configured in it.

The client application would validate the SSL certificate against the list of trusted CA already maintained in its certificate store. When SSL verification is successful, the authenticity of the server is confirmed, and a secure, encrypted connection is established.


Configure SSL Certificate in Boomi Shared Web Server


An SSL certificate is usually a sequence of certificates from end-entity to intermediate to root certificate and is also known as a certificate chain. The end-entity or leaf certificate usually identifies a particular domain.


If you use a local Boomi runtime, you set up SSL configuration in the Shared Web Server. You usually receive your SSL cert chain from your network/Security team as pfx file to be imported as a certificate component in Boomi and then will bind to a specific SSL port in your Shared Web Server. Very often, though the pfx file has all the certificates present in the chain bundled in it, the Boomi certificate component will just import the leaf certificate dropping all the other certificates in the certificate path.


If your certificate component doesn’t have the full trust chain, Boomi shared web server will only present the leaf certificate to the client application resulting in SSL verification failure.


To avoid SSL verification failure at the client side, you need to repackage your certificate component with the complete trust chain.


Please refer this article on how to repackage your pfx file with the correct trust chain.


For demonstration purposes, I have used Boomi’s public Wildcard certificate. However, the pfx file which is installed in Shared Web server has both public cert and private key.


The below Boomi cert has five certs in its chain from leaf to root.



When the same cert is imported as a certificate component in Boomi platform, only the leaf certificate is imported and the full path is not imported as shown below



When the same Boomi Wildcard certificate is repackaged and imported, it comes with the full chain.



SaaS applications such as Shopify verifies SSL certificates when delivering webhook payloads to subscriber endpoints. If SSL certificates are not installed with the full chain, the webhook event data will NOT be delivered.


If you use local Boomi runtime, configuring the full chain will ensure a hassle-free seamless integrations with your client applications.


Should you have anything more to add, please write in comments.

111 views0 comments

Comments


bottom of page