Share TLS (SSL) certificate

All server-to-server API communications must use 2way TLS (a.k.a, mTLS, Mutual-TLS).

Please, contact your ConnectPay Account Manager or Developer Support Team (dev-support@connectpay.com) and share QWAC certificate of your server that will be communicating with ConnectPay's servers.

Certificate will be added to API Gateway trust-stores and attached to your DevApp configuration. Depending on your solution, you can use same certificate for multiple DevApps or use separate certificates for each DevApp.

When receiving API request, we will check:

• If certificate is not expired - by checking the Expiry date.
• If certificate is not revoked - by contacting issuer's OCSP service.
• If Serial Number and Common Name properties are identical in Request certificate and DevApp-attached certificate.

Requirements/Recommendations for certificates:

• Proper order - Certificate file must start with leaf certificate and end with root certificate.
• Root included - Certificate file must contain root certificate.
• Proper format - Certificates must be of X509 ASCII Base64 format.
• Issued by CA - self signed certificates are not accepted. Use Comodo, DigiCert, BuyPass or similar CA to order certificate.
  • Let's encrypt certificates will not accepted as they are issued only for 3 months and frequent rotations adds extra load on yours and ours DevOps teams and increases API failure rate - chance to forget rotate certificate is 4 times greater.
• Not shared - we strongly recommend not to use same certificate for Prod and Stage. But please refer to your Company's security policies, separation is not a mandatory requirement by ConnectPay.
• DV - If you are ordering a new certificate and do not have any specific requirements we recommend domain validated (DV) certificates as they are quickest and easiest to get.
• SSL QWAC for PSD2 - To access PSD2 Open Banking APIs, you, as TPP, have to use extended eIDAS PSD2 certificate with proper PSD2 TPP roles.