Manage encryption certificates
This guide outlines the actions that you can take to manage encryption certificates when building a credit card payments app.
Requirements
Anchor link to section titled "Requirements"- You've created a credit card payments app extension.
- You're a Partner organization owner.
Access the encryption certificates dashboard
Anchor link to section titled "Access the encryption certificates dashboard"- Log in to your Partner Dashboard as an organization owner.
- Go to Settings, and navigate to the Partner certificates management section.
Click Manage Certificates to access the encryption certificates dashboard.
All of the features that are described in the following sections are available from this dashboard.
Create a new encryption certificate
Anchor link to section titled "Create a new encryption certificate"To create a certificate in the partner’s dashboard, you need to create a Certificate Signing Request (CSR), and upload it to your dashboard. Shopify uses this CSR to generate and sign a certificate that you can use in your credit card payments app configuration.
Step 1: Generate a Certificate Signing Request (CSR)
Anchor link to section titled "Step 1: Generate a Certificate Signing Request (CSR)"The CSR needs to be generated with the elliptic-curve algorithm:
The <SUBJECT>
of the CSR must use the following format: /C=<COUNTRY>/ST=<STATE>/L=<CITY>/O=<ORGANIZATION>/CN=<COMMON_NAME
.
Make sure to replace the <COUNTRY>
, <STATE>
, <CITY>
, <ORGANIZATION>
, and <COMMON_NAME>
with correct values. This allows the Shopify team to identify you as the owner of the certificate. Here is an example: /C=CA/ST=ON/L=Ottawa/O=Shopify/CN=ShopifyPaymentsPartnerPlatform
.
Step 2: Request an encryption certificate
Anchor link to section titled "Step 2: Request an encryption certificate"From the certificate management dashboard, click Create Certificate, and then fill out the form.
Field | Description |
---|---|
Description |
Give a short description or name to your certificate. This value will be used as a reference to your certificate so you’ll know which certificate you’re using when configuring your app. |
CSR |
Upload your Certificate Signing Request (CSR). The file must have the .pem extension. |
When the form is filled, save the form.
A confirmation popup will show, and you can click on “Create Partner Certificate” to confirm the request, or “Cancel”.
Step 3: Approve your encryption certificate request
Anchor link to section titled "Step 3: Approve your encryption certificate request"You'll receive an email to confirm that you requested a new certificate in your partner dashboard. Check the email address that you use to log in to your Partner Dashboard, and click Approve request.
Step 4: Wait for Shopify’s approval
Anchor link to section titled "Step 4: Wait for Shopify’s approval"Shopify will create your certificate, and you'll be redirected to main page of the encryption certificate dashboard. Certificates created by Shopify are valid for one year. Read the certificate rotation process to make sure that you’re ready to update your app with a new certificate before they expire.
Download an encryption certificate
Anchor link to section titled "Download an encryption certificate"After a certificate is created, you can download the certificate in a file.
Go to your certificate management dashboard, click on the encryption certificate that you want to download. Then, click Download.
After clicking this link, an email will be sent to you with a link to download the certificate. This link expires after seven days.
Revoke an encryption certificate
Anchor link to section titled "Revoke an encryption certificate"You might need to revoke your certificate in case of emergency. For example, you must revoke the certificate if your private key is compromised.
To revoke a certificate, go to the encryption certificate dashboard, and click on the certificate that you want to revoke. Then, click Revoke certificate.
Encryption certificate lifecycle
Anchor link to section titled "Encryption certificate lifecycle"A certificate can be in one of multiple states during its lifecycle:
State | Description |
---|---|
Waiting for approval |
The certificate is in the approval process by Shopify team. Certificate can’t be used. Approval process can take up to two weeks. |
Usable |
The certificate can be used in a credit card payments app. |
Revoked |
The certificate was revoked through the Partner Dashboard, and can’t be used anymore. |
About to expire |
The certificate will expire in 30 days or less. |
Expired |
The certificate isn't valid anymore and can't be used in any credit card payments app. When a certificate expires, if it’s used by an app, then this app won't be able to process payments anymore. Learn how to rotate your certificates. |
Encryption certificate rotation
Anchor link to section titled "Encryption certificate rotation"Since the certificate approval process can take some time, we strongly suggest that you prepare in advance for certificate rotation, and that you always have a backup certificate ready in case of emergency certificate rotation.
To rotate a certificate on a credit card payments app, you need to follow the steps to generate a new certificate. Once the certificate is created, wait for a Shopify team member to approve it. Finally, when the certificate is approved, you can go to your credit card payments app extension configuration and select the new certificate, create a new version and publish that version with the new certificate.