My team and I have been delving into this SSL verification process for our skill that is hosted outside of AWS. I had a couple of questions regarding the expected flow for verification:
1. We are using an "endpoint that is a sub-domain of a domain that has a wildcard certificate from a certificate authority", how can we verify that our certificate is an Amazon trusted certificate? Our webhook code is hosted under: https://***.cloudfunctions.net/mapp/
2. It appears as though we are able to validate the initial request. However, upon continuing to use our skill our verifier will consider the verification as failed. Would you have any insight as to why this might be? We are comparing a newly sent header signature and request body for each request. The pem cert seems to be unaltered after the first intent.
An overall clarification of the expected flow for this handshake would be much appreciated! We've been jumping around the documentation and several sources to get this implemented according to best practice. We used this implementation as our guide: https://www.dizmo.com/amazon-alexa-signature-verification/
Jess and Team