Manage encryption certificates
Encryption certificates are used to asymmetrically encrypt credit card data so that only the payments app can read them. This guide outlines the actions that you can take to manage encryption certificates when building a credit card payments app.
Requirements
Anchor link to section titled "Requirements"- You've created a credit card payments app extension.
- You're a Partner organization owner.
Access the encryption certificates dashboard
Anchor link to section titled "Access the encryption certificates dashboard"- Log in to your Partner Dashboard as an organization owner.
- Go to Settings, and navigate to the Partner certificates management section.
Click Manage Certificates to access the encryption certificates dashboard.
All of the features that are described in the following sections are available from this dashboard.
Create a new encryption certificate
Anchor link to section titled "Create a new encryption certificate"To create a certificate in the Partner Dashboard, you need to create a Certificate Signing Request (CSR), and upload it to your dashboard. Shopify uses this CSR to generate and sign a certificate that you can use in your credit card payments app configuration.
Step 1: Generate a Certificate Signing Request (CSR)
Anchor link to section titled "Step 1: Generate a Certificate Signing Request (CSR)"The CSR needs to be generated with the elliptic-curve algorithm:
The CSR also accepts .crt or .cer file extensions.
The subject of the CSR, which is passed using the -subj flag, must use the following format:
Make sure to replace the <COUNTRY>, <STATE>, <CITY>, <ORGANIZATION>, and <COMMON_NAME> with correct values. This allows the Shopify team to identify you as the owner of the certificate.
Step 2: Request an encryption certificate
Anchor link to section titled "Step 2: Request an encryption certificate"Follow these steps to request an encryption certificate from Shopify.
- From the certificate management dashboard, click Create Certificate, and then fill out the form.
In the Description field, add a short description or name to your certificate. This value will be used as a reference to your certificate so you’ll know which certificate you’re using when configuring your app.
In the CSR field, click Add CSR and select your CSR file, or drop your file into the upload box. The file must have the
.pem,.crtor.cerextensions.When the form is filled, click Save.
A confirmation modal appears.
Click Create Encryption Certificate to confirm the request.
Step 3: Approve your encryption certificate request
Anchor link to section titled "Step 3: Approve your encryption certificate request"At the email address that you use to log in to your Partner Dashboard, you'll receive an email to confirm that you requested a new certificate. Inside of the email, click Approve request.
After you approve the request, Shopify creates your certificate, and you're redirected to the main page of the encryption certificate dashboard.
Step 4: Wait for Shopify’s approval
Anchor link to section titled "Step 4: Wait for Shopify’s approval"After the certificate is created, its state is set to Waiting for approval. This means that your certificate needs to be reviewed by a Shopify team member.
You won't be able to use the certificate to process payments until the review process is finished. This process can take two weeks or more, so keep this in mind for the certificate rotation process.
Learn more about certificate states.
Certificates created by Shopify are valid for one year. Read the certificate rotation process to make sure that you’re ready to update your app with a new certificate before they expire.
Download an encryption certificate
Anchor link to section titled "Download an encryption certificate"After a certificate is created, you can download the certificate in a file.
From your certificate management dashboard, click on the encryption certificate that you want to download. Then, click Download.
After you click Download, an email is sent to you with a link to download the certificate. Only certificates approved by Shopify can be downloaded. The download link expires after seven days.
Revoke an encryption certificate
Anchor link to section titled "Revoke an encryption certificate"You might need to revoke your certificate in case of emergency. For example, you must revoke the certificate if your private key is compromised.
To revoke a certificate, go to the encryption certificate dashboard, and click on the certificate that you want to revoke. Then, click Revoke certificate.
Rotate an encryption certificate
Anchor link to section titled "Rotate an encryption certificate"To rotate a certificate on a credit card payments app, you need to follow the steps to generate a new certificate.
After the certificate is created, wait for a Shopify team member to approve it.
Finally, when the certificate is approved, you can go to your credit card payments app extension configuration and select the new certificate, then release a new app version.
Encryption certificate lifecycle
Anchor link to section titled "Encryption certificate lifecycle"A certificate can be in one of multiple states during its lifecycle:
| State | Description |
|---|---|
Waiting for approval |
The certificate is in the approval process by the Shopify team. The certificate can’t be used. Approval process can take up to two weeks. |
Usable |
The certificate can be used in a credit card payments app. |
Revoked |
The certificate was revoked through the Partner Dashboard, and can’t be used anymore. |
About to expire |
The certificate will expire in 30 days or less. |
Expired |
The certificate isn't valid anymore and can't be used in any credit card payments app. When a certificate expires, if it’s used by an app, then this app won't be able to process payments anymore. Learn how to rotate your certificates. |