We are currently working on integrating an external service that requires mutual TLS (mTLS) authentication. We would like to request your assistance in configuring our Pega Cloud environment to support this setup.
Specifically, we need guidance and support with the following:
Uploading and configuring the client certificate and private key (Keystore) in our environment.
Uploading the server certificate or CA chain to the Truststore.
Associating the Keystore and Truststore with a Connect REST rule for outbound communication.
Verifying that the mTLS handshake is correctly established during runtime.
Any additional configurations or best practices recommended for mTLS in Pega Cloud.
Additionally, we would like to know if Pega Cloud can generate the client certificate and private key on our behalf, or if we are required to generate and provide them ourselves.
To set up mTLS for outbound integration in Pega Cloud, first, create a keystore with your client certificate and private key, then upload it to Pega under App Studio > Integration > Security. Next, create and upload a truststore containing the server’s certificate or CA chain in the same section. In your Connect REST rule, link the keystore and truststore under the Security tab, and select mTLS as the authentication type. After setting up, check Pega logs to verify the mTLS handshake is working by looking for any errors related to the certificates. Best practices include ensuring the private key is protected, monitoring certificate expiry, and only using secure TLS versions. Note that Pega Cloud doesn’t generate client certificates, so you’ll need to create and provide them yourself.