Apple Pay certificate creation

Payment Processing Certificate

1. Go to the Apple Pay merchant ID management page

2. Click to create the payment certificate

3. Create on computer: CertificateSigningRequest.certSigningRequest file

4. Select the CertificateSigningRequest.certSigningRequest certificate created in the previous step and upload it to Apple Pay

5. Download the payment.cer file from Apple Pay and convert it into the payment_certificate.pem file. This file is the certificate required for decryption.

openssl x509 -inform der -in payment.cer -out payment_certificate.pem

6. Export the paymet.p12 file on the computer and convert it into the payment_privatekey.pem file. This file is the private key required for decryption.

   • Export the paymet.p12 file

     
     
     

   • Retrieve the payment_privatekey.pem file from the applepay.paymet.p12 file

     Shell

     openssl pkcs12 -in applepay.payment.p12 -nocerts -nodes -out payment_privatekey.pem

Merchant Identity Certificate

❗️

Required for Apple Pay on the Web only. This certificate authenticates your merchant session with Apple's servers. The process is similar to the Payment Processing Certificate, with the following key differences:

1. When creating the CertificateSigningRequest, the Key Pair must be set to RSA and 2048 bits.

2. Create this via the button under the Merchant Identity Certificate section in the Apple Pay Merchant ID settings.

3. Download/export the file: Download the merchant.cer file from Apple Pay and convert it into the merchant_certificate.pem file. This file is the certificate required to get the payment-session.

openssl x509 -inform der -in merchant.cer -out merchant_certificate.pem

4. Export the applepay.merchant.p12 file on the computer and convert it into the merchant_privatekey.pem file. This file is the private key required to get the payment-session.

openssl pkcs12 -in applepay.merchant.p12 -nocerts -nodes -out merchant_privatekey.pem

❗️

To ensure that the test and production environments are independent and easier to manage and troubleshoot, it is recommended to create separate merchant IDs and certificates for the sandbox and production environments when integrating Apple Pay. The specific requirements are as follows:

1. Merchant ID and certificate isolation

   • The sandbox environment should use a separate merchant ID and payment certificate for testing transactions.
   • The production environment should use the official merchant ID and payment certificate for real transactions.

2. Domain binding

   • The sandbox merchant ID should only be bound to the test environment domain (e.g., sandbox.example.com).
   • The production merchant ID should only be bound to the production environment domain (e.g., www.example.com).

3. Creation process

   • The process for creating the merchant ID, certificate, and domain verification is identical for both the sandbox and production environments.
   • Simply select the target environment in the Apple Developer console to configure each.

By using two sets of independent configurations, you can effectively avoid test transactions from affecting the production system and simplify certificate updates and troubleshooting.