/
Apple Pay Certificates

Apple Pay Certificates

Β 

https://register.apple.com/resources/messages/msp-api-tutorial/applepay#integrating-apple-pay

Β 

⚠️ VERY IMPORTANT: Certificate Types & Algorithms

Certificate Type

Algorithm

Key Size

Certificate Type

Algorithm

Key Size

Apple Pay Payment Processing

ECC

256-bit

Apple Pay Merchant Identity

RSA

2048

πŸ‘‰ You need BOTH certificates for Apple Pay:

  • Merchant Identity (RSA) β†’ merchant session validation

  • Payment Processing (ECC) β†’ decrypt & process payments

Β 

πŸ” Step 1: Generate Private Key

Run this on any Linux server, WSL, Docker, or Windows (with OpenSSL installed):

openssl genrsa -out merchant_id_private.key 2048

βœ” This file is VERY IMPORTANT
βœ” Do not lose it
βœ” Never upload it to Apple
βœ” Store it securely (e.g. encrypted storage / secrets manager)

🧾 Step 2: Generate the CSR

Now generate the CSR using that private key:

openssl req -new -key merchant_id_private.key -out merchant_id.csr

You’ll be prompted for details.
Use this guidance πŸ‘‡

Country Name (2 letter code) [AU]: AU State or Province Name: New South Wales Locality Name: Sydney Organization Name: Your Company Pty Ltd ← must match Apple account Organizational Unit Name: IT Common Name: Apple Pay Merchant Email Address: admin@yourdomain.com

⚠️ Important Notes

  • Organization Name must match what’s in your Apple Developer account

  • Common Name can be anything descriptive

  • Email is optional but recommended

After this, you’ll have:

merchant_id_private.key ← keep secret merchant_id.csr ← upload to Apple

🍎 Step 3: Upload CSR to Apple Developer Portal

  1. Go to Apple Developer β†’ Certificates

  2. Choose the certificate type you’re creating:

    • Apple Pay Payment Processing Certificate

    • or Apple Pay Merchant Identity Certificate

  3. Upload merchant_id.csr

  4. Download the generated .cer file

πŸ”„ Step 4: Convert Apple Certificate to PEM

Apple gives you a .cer file β€” OpenSSL usually want .pem.

Convert it:

openssl x509 -inform der -in merchant_id.cer -out merchant_id.pem

Β 

Β 

Β 

Β 

πŸ” Step 1 β€” Generate ECC Private Key (256-bit)

openssl ecparam -name prime256v1 -genkey -noout -out apple_pay_ecc_private.key

βœ” This creates an ECC P-256 key
βœ” This is exactly what Apple expects

🧾 Step 2 β€” Generate the ECC CSR

openssl req -new -key apple_pay_ecc_private.key -out apple_pay_ecc.csr

Use the same org details as before:

Country Name (2 letter code): AU State or Province Name: New South Wales Locality Name: Sydney Organization Name: Your Company Pty Ltd ← must match Apple account Organizational Unit Name: IT Common Name: Apple Pay Payment Processing Email Address: admin@yourdomain.com

Now you have:

apple_pay_ecc_private.key ← KEEP SECRET apple_pay_ecc.csr ← UPLOAD TO APPLE

🍎 Step 3 β€” Upload to Apple (Correct Certificate Type)

In Apple Developer Portal:

  1. Go to Certificates

  2. Click +

  3. Select:
    πŸ‘‰ Apple Pay Payment Processing Certificate

  4. Upload:
    πŸ‘‰ apple_pay_ecc.csr

Β 

πŸ”„ Step 4 β€” Convert the Downloaded .cer to PEM

After Apple issues the cert:

openssl x509 -inform der -in apple_pay_payment.cer -out apple_pay_payment.pem

Keep files like this:

apple_pay_ecc_private.key apple_pay_payment.pem

πŸ”’ Permissions:

chmod 600 apple_pay_ecc_private.key

🧠 How This Fits Integration

βœ” Merchant Session (RSA cert)

Used when calling Apple’s merchant validation URL (https://apple-pay-gateway.apple.com/paymentservices/paymentSession)

βœ” Payment Processing (ECC cert)

Used when your payment provider (Stripe/Adyen/etc.) decrypts Apple Pay tokens