docusignapimtlsdocusignconnect

Docusign webhooks SignMessageWithX509Cert mTLS


Trying out mutualTLS in demo account and trying to understand how the validations work. We are using eventNotifications with signMessageWithX509Cert property set to true. However, have no clue if it is working as DocuSign gives no information about it.

Questions:


Solution

  • Re:

    Q. Is mTLS enabled/possible for demo accounts?

    A. Yes, it is enabled by default.

    Q. If I have signMessageWithX509Cert=true and have no mTLS in my listener, all requests pass either way?

    A. Yes. The signMessageWithX509Cert merely enables Mutual TLS. Mutual TLS is always, only, initiated by the server (your listener) requesting the client's (DocuSign's) certificate. If your listener doesn't initiate mTLS then it won't happen.

    Q. DocuSign does not validation? I'm receiving all events either way and no error is thrown by DocuSign.

    A. Mutual TLS is initiated and authenticated by your listener. Any mTLS errors/validation are received/checked by your listener. If you enable mTLS on DocuSign and do not do any mTLS checks on your listener then you should expect that you will receive all webhook notifications.

    Q. How can we know mTLS worked from Docusign logs in Connect console?

    A. You can't. DocuSign (the client) has no way to determine if your listener has accepted DocuSign's certificate via the mTLS protocol. Mutual TLS is controlled/managed/implemented by the server (your listener). As part of a mTLS protocol exchange, DocuSign will respond to your server's mTLS request as best it can. Then your server determines if DocuSign's mTLS response is an error or not.

    Recommended

    Read my blog post Mutual TLS: Stuff you should know for more information. And check out the Developer Center's documents too.

    Mutual TLS enables your listener to check that the client really is DocuSign. Your listener must initiate mTLS and validate/accept the response.