General information
- Certificates are required for Banking as a Service, PSD2 flows, and Business APIs – Accounts and Payment flows.
- The Business APIs – Accept Payments (Merchant) flow uses the Request Signature mechanism. [More information available here.]
- All certificates must be rotated before their expiration date to ensure uninterrupted integration.
- Certificates are applied individually per developer app, and the timing for enabling a new certificate must be coordinated with our developer support team.
General Requirements for Certificates
- Proper Order: Start with the leaf certificate and end with the root certificate.
- Root Included: Ensure the root certificate is included.
- Proper Format: Certificates must be in X509 ASCII Base64 format.
- Certificate types:
- Self-signed: the use of Self-signed certificates are now accepted in both non-production and production environments.
- CA Issued: Use certificates from reputable CAs like Comodo, DigiCert, or BuyPass. Let’s Encrypt certificates are not accepted.
- Let’s encrypt and CloudFlare certificates will not be accepted as they are issued only for 3 months, and frequent rotations add extra load to your and our DevOps teams and increase the API failure rate—the chance to forget to rotate a certificate is four times greater.
- Not shared: We strongly recommend not using the same certificate for Prod and Stage. However, please refer to your Company’s security policies. Separation is not a mandatory requirement by ConnectPay.
- DV: If you are ordering a new certificate and do not have any specific requirements, we recommend domain-validated (DV) certificates, as they are the quickest and easiest to obtain.
- SSL QWAC for PSD2: To access PSD2 Open Banking APIs, you, as TPP, must use an extended eIDAS PSD2 certificate with proper PSD2 TPP roles.
Self-signed certificate requirements
- CA and TLS Client roles cannot be mixed in same certificate – it means, two certificates must be generated – root certificate, acting as self-signed CA, and leaf certificate, signed by self-signed CA and used as a mTLS client certificate.
- Leaf certificate’s expiration date must be from 1 to 3 years (365 to 1095 days)
- Private keys must be generated using RSA encryption and have length of 2048 bits.
- CNs of Root and Leaf certificates must include Company name
- Certificates, shared with ConnectPay, must be in BASE64 ASCII format and put into one file, forming certificate chain – Leaf certificate at start of the file, Root at the end.
Generating a Self-Signed Certificate
You can generate a self-signed CA and client certificate chain using the following OpenSSL commands. This method is valid for both non-production and production environments if it meets your company’s security standards.
How to generate Self-Signed Certificate
- It is assumed that user hasn’t modified default OpenSSL settings.
- Replace MyCompany with your Company’s name
- Share client-cert.pem file with ConnectPay
- Use client.pem and client.key in your service to establish mTLS communication.
- Script is designed for Linux OS, run all commands in bash CLI.
# 1) Generate self-signed CA Root (Private Key and Certificate)
openssl genrsa -out ca.key 4096
openssl req -x509 -new -sha256 -days 3650 -key ca.key -out ca.pem \
-extensions v3_ca -config /etc/ssl/openssl.cnf -subj "/CN=Local Root CA/O=MyCompany" \
-set_serial 0x$(openssl rand -hex 16)
# 2) Generate client leaf (Private Key and CSR)
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr -subj "/CN=MyCompany-ConnectPay/O=MyCompany"
# 3) Generate signed leaf with CA (Certificate)
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key \
-sha256 -days 750 -out client.pem \
-extfile /etc/ssl/openssl.cnf -extensions v3_req \
-set_serial 0x$(openssl rand -hex 16)
# 4) Create chain file (leaf first, then CA)
cat client.pem ca.pem > client-chain.pem
Note: Ensure your private CA and certificate management processes comply with your organization’s internal security and key rotation policies.