---
title: Create an Apple Pay payment processing certificate
description: >-
  Learn how to set up the certificate required for payment processing with Apple
  Pay.
source_url:
  html: >-
    https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates
  md: >-
    https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md
---

ExpandOn this page

* [What you'll learn](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#what-youll-learn)
* [Requirements](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#requirements)
* [Step 1: Create an Apple Pay resource](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#step-1-create-an-apple-pay-resource)
* [Step 2: Retrieve an Apple Pay certificate](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#step-2-retrieve-an-apple-pay-certificate)
* [Step 3: Retrieve a Certificate Signing Request (CSR)](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#step-3-retrieve-a-certificate-signing-request-csr)
* [Step 4: Upload a Certificate Signing Request (CSR) to Apple](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#step-4-upload-a-certificate-signing-request-csr-to-apple)
* [Step 5: Upload the encrypted certificate using the REST Admin API](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#step-5-upload-the-encrypted-certificate-using-the-rest-admin-api)
* [Step 6: (Optional) Activate the certificate](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#step-6-optional-activate-the-certificate)

# Create an Apple Pay payment processing certificate

In this tutorial, you'll create an [Apple Pay payments processing certificate](https://developer.apple.com/help/account/configure-app-capabilities/configure-apple-pay/) that's registered in both your Apple Developer account and the Shopify admin. The certificate allows Shopify to act as a payments processor for iOS Apple payments, which involves decrypting the [`PassKit` payment data](https://developer.apple.com/documentation/passkit) generated after a user authorizes a payment.

If you're familiar with setting up Apple Pay certificates already, then you'll notice some similarities to the process detailed in Apple's docs. However, there are differences in how the certificate is generated. For example, Shopify generates a unique Certificate Signing Request (CSR), rather than you creating one using keychain, and the resulting certificate needs to be uploaded using the REST Admin API.

Note that these certificates expire every 25 months. To prevent interruptions of service, you can configure a backup certificate by repeating the following steps.

***

## What you'll learn

In this tutorial, you'll learn how to do the following tasks:

* Create an `ApplePayCertificate` resource using the [REST Admin API](https://shopify.dev/docs/api/admin-rest/2025-01/resources/applepaycertificate).
* Wait for the certificate to transition from `"issuing"` into `"csr"` status.
* Retrieve the `base64` encoded Certificate Signing Request (CSR).
* Decode the certificate and upload to Apple for encryption.
* Download the encrypted version of the certificate from Apple.
* Encode the encrypted version and upload it to Shopify using the REST Admin API.
* Activate the certificate (optional).

***

## Requirements

* Your app has the `write_mobile_payments` and `read_mobile_payments` access scopes. These scopes need to be enabled for your app before you can upload Apple Pay certificates. [Request access to these scopes](https://www.appsheet.com/start/1ff317b6-2da1-4f39-b041-c01cfada6098) and ensure they're added to your Admin API access token.

  ![Admin API access scopes interface showing write\_mobile\_payments and read\_mobile\_payments scopes](https://shopify.dev/assets/assets/images/custom-storefronts/checkout-sheet-kit/apple-pay-required-access-scopes-BgAw3REO.png)

* You need to set up the following environment variables before you can run scripts. Paste the following code in your terminal, and replace the values in angled brackets. Refer to the table that follows the code for the correct values.

## Set up environment variables

```terminal
ADMIN_API_ACCESS_TOKEN="<ADMIN_API_ACCESS_TOKEN>" \
STOREFRONT_DOMAIN="<SHOP_DOMAIN>" \
API_VERSION="2025-01" \
MERCHANT_ID="<APP_BUNDLE_ID>"
```

| Variable | Description | Read-only? |
| - | - | - |
| `STOREFRONT_DOMAIN` | The domain of your store without trailing `/`. For example, `https://your-store.myshopify.com`. | No |
| `MERCHANT_ID` | A unique identifier for Apple to identify your business as a merchant able to accept payments. Located within your Xcode project under **Signing & Capabilities** > **Apple Pay** > **Merchant IDs**. If this isn't setup yet, then you can [create one](https://developer.apple.com/documentation/applepaywebmerchantregistrationapi/registering-with-apple-pay-and-applying-to-use-the-api). | No |
| `API_VERSION` | Version of the REST Admin API to target. Refer to: [REST Admin API reference](https://shopify.dev/docs/api/admin-rest). | No |
| `ADMIN_API_ACCESS_TOKEN` | Located within the store settings: **Settings** > **Apps & Sales Channels** > **Develop Apps** > **API Credentials** > **Admin API access token**. Only store admins can access this value.![Storefront Admin UI](https://shopify.dev/assets/assets/images/custom-storefronts/checkout-sheet-kit/admin-access-token-interface-DoMHJ4Tj.png) | Yes |

***

## Step 1: Create an Apple Pay resource

To begin, you need to generate a new certificate resource, because the certificate won't be immediately available. The response should indicate it's `issuing`. In this step, you'll check whether the certificate has finished issuing so that you can retrieve the Certificate Signing Request (CSR).

## Create an Apple Pay resource

## POST - $STOREFRONT\_DOMAIN/admin/api/$API\_VERSION/apple\_pay\_certificates.json

```terminal
APPLE_PAY_CERTIFICATE_ID=$(curl --request POST "$STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates.json" \
--header "X-Shopify-Access-Token: $ADMIN_API_ACCESS_TOKEN" \
| jq .apple_pay_certificate.id);


echo "APPLE_PAY_CERTIFICATE_ID =" $APPLE_PAY_CERTIFICATE_ID
```

## Output

```text
APPLE_PAY_CERTIFICATE_ID = 1234
```

***

## Step 2: Retrieve an Apple Pay certificate

You can check on the progress of the certificate creation with the following `GET` request.

If the response shows `"status":"csr"`, then you can move on to the next step.

## Retrieve an Apple Pay certificate

## GET - $STOREFRONT\_DOMAIN/admin/api/$API\_VERSION/apple\_pay\_certificates/$APPLE\_PAY\_CERTIFICATE\_ID.json

```shell
curl "$STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID.json" \
--header "X-Shopify-Access-Token: $ADMIN_API_ACCESS_TOKEN" \
| jq .
```

## Output

```json
{
  "apple_pay_certificate": {
    "id": 1234,
    "status": "csr",
    "merchant_id": null
  }
}
```

***

## Step 3: Retrieve a Certificate Signing Request (CSR)

In this step, you'll do the following work to manipulate the data:

* Add new line escape sequences to escape with `tr`.
* Extract the JSON data with `jq`.
* Decode the data from `base64` and save it to the `apple_payment_processing.csr` file. This is the file that you'll later upload to Apple.

## Retrieve a Certificate Signing Request (CSR)

## GET - $STOREFRONT\_DOMAIN/admin/api/$API\_VERSION/apple\_pay\_certificates/$APPLE\_PAY\_CERTIFICATE\_ID/csr.json

```shell
curl "$STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID/csr.json" \
--header "X-Shopify-Access-Token: $ADMIN_API_ACCESS_TOKEN" \
| tr -d \\n \
| jq -r .csr.key \
| openssl base64 -a -d -out apple_payment_processing.csr;


command cat apple_payment_processing.csr
```

## Output

```csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBQtcb6AIBADCBhTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMQ8wDQYDVQQH
EwZPdHRhD2eXedaobGNVBAoMB1Nob3BpZnkxETAPBgNVBAsMCFBheW1lbnRzMRAw
DgYDVQQDDAdTaG9waWz5mseWhWyjkOzIhvcNAQkBDBJhZG1pbnNAc2hvcGlmeS5j
b20wWTATBgcqhkjOPQIBBggqhkjOPQMbbWncaas7Zyut/WMsHOERhUXNigv5X0Jk
VvIxuAriMxOIkNhPASsTbjxZGsLmqyv5Td+WrxJ45HeQraashdfgahgiauvCoAAw
CgYIKoZIzj0EAwIDSAAwRQIhAK1lbDqq/VNQbSQqCtLgClZmR/98vjsVhoh2ZwKE
13gLAiB2Pn6eKA1V2XZ+0wxoTpyzBrBeTaoABYiJnbqmTWWG3Q==
-----END CERTIFICATE REQUEST-----
```

***

## Step 4: Upload a Certificate Signing Request (CSR) to Apple

Complete the following steps:

1. Log in to your [Apple Developer account](https://developer.apple.com/account).
2. Under [Certificates, Identifiers & Profiles](https://developer.apple.com/account/resources/certificates/list), click the "+" button to [create a new certificate](https://developer.apple.com/account/resources/certificates/add).
3. Select the checkbox for **Apple Pay Payment Processing Certificate**.\
   If this is the first certificate you're creating, then you'll be redirected to the creation page, otherwise you might encounter the following page. The **Apple Pay Payment Processing Certificate** section is the only area you need to focus on. The other sections are for setup on the web.

Caution

Make sure you don't create the certificate under **Apple Pay Merchant Identity Certificate**, which is only used for Apple Pay on the web. Refer to [Configure Apple Pay capabilities](https://developer.apple.com/help/account/configure-app-capabilities/configure-apple-pay/) for more information.

![Apple Developer Portal](https://shopify.dev/assets/assets/images/custom-storefronts/checkout-sheet-kit/apple-developer-docs-7OIYobbc.png)

1. Select **Create Certificate** and upload the `apple_payment_processing.csr` file from the previous step in the form.

2. Download the encrypted version of the certificate. The filename is `apple_pay.cer`.

3. Store the file somewhere securely because you'll upload this file in the next step using the REST Admin API.

![Apple Developer Portal](https://shopify.dev/assets/assets/images/custom-storefronts/checkout-sheet-kit/download-apple-certificate-CUdf2Zat.png)

Note

If this is the second certificate you created, then leave this page open because you'll be returning to it to activate the certificate after it's uploaded.

***

## Step 5: Upload the encrypted certificate using the REST Admin API

After reading the file into a variable, you can upload it to the REST Admin API with the following commands:

## Upload encrypted certificate using the REST Admin API

## PUT - $STOREFRONT\_DOMAIN/admin/api/$API\_VERSION/apple\_pay\_certificates/$APPLE\_PAY\_CERTIFICATE\_ID.json

```shell
ENCRYPTED_CERTIFICATE="$(openssl base64 -a -A -e -in apple_pay.cer)";


curl --request PUT "$STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID.json" \
--header "X-Shopify-Access-Token: $ADMIN_API_ACCESS_TOKEN" \
--header "Content-Type: application/json" \
--data "{
    \"apple_pay_certificate\": {
        \"id\": \"$APPLE_PAY_CERTIFICATE_ID\",
        \"status\": \"completed\",
        \"merchant_id\": \"$MERCHANT_ID\",
        \"encoded_signed_certificate\": \"$ENCRYPTED_CERTIFICATE\"
    }
}" \
| jq .
```

## Output

```json
{
    "apple_pay_certificate": {
        "id": 1234,
        "status": "completed",
        "merchant_id": "<MERCHANT_ID>"
    }
}
```

***

## Step 6: (Optional) Activate the certificate

This step isn't necessary if you're only creating your first certificate, because it defaults to `active`. Only subsequent certificates that you create start as `inactive` until explicitly activated. This prevents interruptions of service if your application is in production.

1. Return to the page where the certificate was downloaded from Apple. The URL is: `https://developer.apple.com/account/resources/certificates/download/<CERTIFICATE_ID>`.

2. Activate the certificate. The modal popup warns that this should only be performed if this certificate has been setup for payment processing, so unless you missed steps above you can select to activate again.

Caution

If your app is already in production, then make sure you've completed the prior steps of uploading the encrypted certificate to Shopify. Failure to do so might cause service interruptions if your store is already live and processing Apple Pay transactions.

![Activate Certificate Modal](https://shopify.dev/assets/assets/images/custom-storefronts/checkout-sheet-kit/activate-certificate-modal-Cyb2aGv8.png)

***

* [What you'll learn](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#what-youll-learn)
* [Requirements](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#requirements)
* [Step 1: Create an Apple Pay resource](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#step-1-create-an-apple-pay-resource)
* [Step 2: Retrieve an Apple Pay certificate](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#step-2-retrieve-an-apple-pay-certificate)
* [Step 3: Retrieve a Certificate Signing Request (CSR)](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#step-3-retrieve-a-certificate-signing-request-csr)
* [Step 4: Upload a Certificate Signing Request (CSR) to Apple](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#step-4-upload-a-certificate-signing-request-csr-to-apple)
* [Step 5: Upload the encrypted certificate using the REST Admin API](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#step-5-upload-the-encrypted-certificate-using-the-rest-admin-api)
* [Step 6: (Optional) Activate the certificate](https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md#step-6-optional-activate-the-certificate)