Security guidelines
Keep your communications secure with digital certificate validation
You’ll access Canada Post services securely through TLS 1.1 or greater using a digital certificate. To ensure your communications remain secure, we recommend that you familiarize yourself with the following aspects of digital certificate validation.
Digital certificate
A digital certificate is a part of public key infrastructure (PKI). PKI is a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate - through the use of public key cryptography - the legitimacy of all participants in an electronic transaction. A certificate authority (CA) issues the certificates. Each certificate contains information such as subject, validity dates, issuer, and a public key.
Chain of trust and certificate authorities
Digital certificates are verified using a chain of trust in a certificate hierarchy. In this hierarchy, each certificate is linked to the CA above it in the hierarchy. This process repeats until the certificate of the root CA is reached. The root CA is the trust anchor for the chain.
Avoid pinning
Pinning is when you choose to ignore the chain of trust and only accept a specific certificate for Canada Post, thus “pinning” your trust on that one certificate.
Though the practice may provide a sense of security, it introduces a tight coupling to Canada Post’s certificate at a particular point in time. As Canada Post regularly updates its certificate for various reasons, if a customer has pinned their certificate, a service disruption is unavoidable when Canada Post publishes a new certificate.
The use of SSL pinning is strongly discouraged and will result in service disruptions upon every certificate update. It’s strongly recommended to allow appropriate certificate chain validation to occur at runtime.
Please remove SSL pinning from your application if possible.
Certificate validity
Every certificate is valid only for the time specified in the validity period. During authentication, this validity period is verified.
Certificate revocation list
A certificate authority can revoke a certificate for many reasons, such as a compromise of the certificate’s private key. When a certificate is revoked, all chains under the revoked certificate in the hierarchy are invalidated and aren’t trusted during authentication. Revoked certificates are published by the issuer in a certificate revocation list.
Securing your application
Most application frameworks such as Java or .NET perform certificate validation and revocation checks by default. It’s important to ensure that your application doesn’t disable these checks. It’s also important that the entire chain of trust is validated. In this way, spoofing and man-in-the-middle attacks can be mitigated.
Access through firewall
If firewall access control is used on your end to limit access to external sites, you might have trouble accessing an API endpoint, as our endpoints don’t have fixed IP addresses.
We recommend that you use name-based whitelisting (in other words, whitelist soa-gw.canadapost.ca and ct.soa-gw.canadapost.ca) instead of IP addresses on your firewall. If your firewall doesn’t support name-based whitelisting, then route the requests through a proxy and apply the name-based whitelisting at the proxy.