Firebase cloud functions/ hosting ssl pinning

0
votes

My payment gateway requires ssl certificate pinning for their payment gateway endpoint on my side.

Does Firebase support ssl pinning for cloud functions/hosting?

I can't find this information in the official documentation or anywhere else on the net.

Details published in the bank's technical requirements form:

  1. Response URL and Port Number
    Specify the Response URL and Port Number for us to send you payment notification.
  2. SSL Certificate:
    (To establish secure connection with your Response URL.)
    The standard SSL certificate authority are Comodo or Versign.
    Please upload the SSL Certificates for both environments that associate with the UAT and Production URL respectively. SSL certificates can be in format of .cer or .crt or you may zip it in one zip file. Note: Payment notification will fail to reach you if you provide incorrect SSL Certificate.
1
firebasegoogle-cloud-functionsfirebase-hosting
No, they aren't currently supported. Does your payment processor have public docs on their requirements?Michael Bleigh
Thank you for looking into this. There isn't much in the documentation. Edited the answer to reflect what was mentioned in the docs. Any particular item that you are looking for? I can contact the bank and get the information you need perhaps.zulfazli shaharudeen

1 Answers

1
votes

What is described here is a really strange requirement -- it sounds like they're telling you you have to provide them with the specific SSL certificate your site is running.

This is unrealistic for nearly all cases as SSL certificates expire after a year, and particularly unrealistic for Firebase Hosting where certificates only last for three months.

You should be able to download the certificate for your Firebase Hosting site (see e.g. this ServerFault question) and upload it to your bank, but the certificate is going to change approximately every two months.

I'd reach out to your bank and ask them more about this requirement, as it seems bizarre and unduly burdensome. Perhaps they are merely trying to ask for the root certificate in the trust chain? If that's the case, you can provide the Let's Encrypt root certificate and it should be fine for the time being (note: Firebase Hosting does not make a promise of keeping the same certificate authority indefinitely).