What has changed
Previously, only CA-issued certificates from approved certificate authorities were accepted for mTLS authentication.
Effective immediately:
- Self-signed certificates are accepted for all Banking-as-a-Service and Business API (Accounts & Payments) flows.
- CA-issued certificates remain supported, but are no longer required.
- Let’s Encrypt and Cloudflare certificates are still not accepted due to short validity periods (3 months) and the higher operational risk of missed rotations.
Please note:
This does not affect the Accept Payments (Merchant) API flow, which continues to use the Request Signature mechanism rather than mTLS. Also, the PSD2 API flow will require a certificate issued by a certified authority.
Next steps
All documentation has been updated in the API Guide, including certificate requirements, recommendations, and example commands.
If you wish to switch from a CA-issued certificate to a self-signed certificate, you may do so whenever is convenient to you.
Please coordinate the activation of new certificates with our support team to avoid downtime.