Certificate authentication

Current version: 9.0

Certificate authentication is used for systems going through Commerce Engine (CE) Connect, like the SXA Storefront.

The caller must provide the X-ARR-ClientCert header in the request headers with valid certificate information. The expected certificate information (for example, issuer, thumbprint) is stored in the Commerce Engine config.json file.


We strongly recommend that you secure the Commerce Engine against unauthorized use.

Consider the following security measures to safeguard production Commerce deployment:

  • Avoid unnecessarily exposing Commerce Engine service endpoints to the public network.

  • Implement IP restrictions to limit the clients that can communicate with the Commerce Engine.

  • Change the certificate on a regular basis and ensure to replace related references in the engine config.json and the Sitecore.Commerce.Engine.Connect.config files.

The following is a sample of the certificate section in the Commerce Engine config.json file:

"Certificates": {
  "Certificates": [
    "Thumbprint": "F1D8349D784BF672B99103C1C204A57556DD263A"
       "Subject": "CN=storefront.engine",
       "IssuerCN": "CN=storefront.engine",

The same thumbprint must be stored in the CE Connect configuration file for the Storefront: c:\inetpub\wwwroot<storefront>\App_Config\Include\Y.Commerce.Engine\Sitecore.Commerce.Engine.Connect.config.

Do you have some feedback for us?

If you have suggestions for improving this article,