Skip to content
General information
- Certificates are required for Banking as a Service, PSD2 flows, and Business APIs – Accounts and Payment flows.
- The Business APIs – Accept Payments (Merchant) flow uses the Request Signature mechanism. [More information available here.]
- All certificates must be rotated before their expiration date to ensure uninterrupted integration.
- Certificates are applied individually per developer app, and the timing for enabling a new certificate must be coordinated with our developer support team.
Requirements for Certificates
- Proper Order: Start with the leaf certificate and end with the root certificate.
- Root Included: Ensure the root certificate is included.
- Proper Format: Certificates must be in X509 ASCII Base64 format.
- CA Issued: Use certificates from reputable CAs like Comodo, DigiCert, or BuyPass. Self-signed and Let’s Encrypt certificates are not accepted.
- Let’s encrypt certificates will not be accepted as they are issued only for 3 months, and frequent rotations add extra load to your and our DevOps teams and increase the API failure rate—the chance to forget to rotate a certificate is four times greater.
- Not shared: We strongly recommend not using the same certificate for Prod and Stage. However, please refer to your Company’s security policies. Separation is not a mandatory requirement by ConnectPay.
- DV: If you are ordering a new certificate and do not have any specific requirements, we recommend domain-validated (DV) certificates, as they are the quickest and easiest to obtain.
- SSL QWAC for PSD2: To access PSD2 Open Banking APIs, you, as TPP, must use an extended eIDAS PSD2 certificate with proper PSD2 TPP roles.
