(Note that this page applies only when customers wish to ensure that callbacks from Vibes to their own systems are definitely being made by Vibes. Customers who wish to use client certificates as an additional authentication mechanism when making calls to Vibes APIs should consult Client Certificate Authentication for Vibes APIs instead.)
The Vibes Mobile Engagement Platform is able to make callback requests to third-party systems as event notifications.
When the Vibes platform issues callback requests, it will validate the server's TLS certificate against a common list of public Certificate Authorities.
If a customer wishes to ensure that it is actually the Vibes platform issuing callback requests, and not some other (unauthorized) system, this can be done by validating the Vibes client certificate. At this point, there is only one certificate available for this purpose. The Vibes client certificate has:
OU=Domain Control Validated, CN=catapult-app.vibescm.com
C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
Systems receiving HTTPS callback requests from the Vibes platform must be configured to request client certificates as part of the TLS handshake, and must accept the GoDaddy certificate authority that issued the certificate.
Because there is an intermediate CA certificate as well as the root CA, the system receiving the request must be configured to allow a SSL verification depth of 3 or more. (In nginx, for example, this can be done with the "ssl_verify_depth 3" directive; in apache, similarly, this is done with the "SSLVerifyDepth 3" directive.)
The complete chain of CA certificates (the root CA certificate and all intermediate CA certificates) is attached to this page in PEM format below:
(There is no configuration work that must be done by Vibes to set this up. The Vibes client certificate will be presented in any and all callback requests made to systems that are configured as described above.)