Written by: Kavalpreet Ganti, Sr. Director, Client Readiness
Security is paramount when it comes to delivering payment services. The Visa Developer Platform (VDP) provides multiple authentication and authorization mechanisms with the goal to ensure maximum security. VDP provides lifecycle management of certificates that is designed to be rich and robust, as an integral part of these authentication and authorization services. This document covers details of certificate renewal capabilities available to our customers’ developers.
What are VDP Certificates?
VDP APIs leverage either Two-Way SSL or X-Pay token to authenticate and authorize connections (check out our blog about Mutual Authentication here). For APIs using Two-Way SSL, we issue certificates & credentials to our clients to establish an authenticated connection. Certificates & credentials are unique for each environment (Sandbox, Certification and Production) & for each application. The duration of the certificates varies by environment – Sandbox certificates are valid for 24 months from creation date while Certification & Production environment certificates are valid for 27 months. Some of these certificates are starting to expire now and renewal is necessary for smooth functioning of your applications.
How do I Renew My Certificates?
The platform makes it easy for developers to renew the certificates issued by Visa. A summary of the renewal process for the three environments is below.
If the certificate for a sandbox application is scheduled to expire, you, the application owner, will get a notification only on the VDP portal dashboard. This notification will be available 120 days prior to certificate expiry. Once you see this notification:
Click on the “Get New Certificate” button, and within a couple of minutes, you’ll have a new certificate & a new set of credentials for your application
Next, include this new certificate in the key-store, use the new credentials for the API calls, and you are good to go.
Alternatively, if you don’t visit the VDP dashboard and the sandbox application certificate expires, you’ll get an access denied error message when you run your application. When you go to the VDP portal dashboard to understand why you received the error message, you will see that your sandbox certificate has expired. In this case, again, click on “Get New Certificates” & follow the steps mentioned above.
Production & Certification Environment
For applications in Production & in Certification environment, the system will send email notifications (in addition to the dashboard notifications), starting 120 days prior to expiry of the certificates. These notifications will be sent at regular intervals (120 days, 90 days, 45 days, 30 days, 15 days and 7 days), until such time that the certificate is renewed. Emails are sent to application owners and to all users who have “full access” to the application. You, as an application owner, can choose to reuse your existing Certificate Signing Request (CSR) or use a new CSR for getting the new certificate.
Once you submit a CSR, it typically takes ~5 business days for us to issue a new certificate. You’ll be notified both through an email and through the VDP dashboard, upon availability of the new certificate. Upon receiving the new certificate, download the certificate from the VDP dashboard and get the new set of credentials. Include the new certificate in the key-store, update the credentials for making the API calls, and you are good to go.
Our recommendation is that you initiate the certification and production environment renewal process as soon as you are notified of an expiring certificate. Please allow a minimum of 15 days to complete the updates. This is to allow enough time for generation of the new certificate, key-store update and credential updates for API calls (the last two steps may add unplanned time, depending upon your organization’s deployment policies). VDP allows applications to have two active certificates & two sets of credentials (for a given environment), at the same time to allow a scheduled deployment of the new credentials. So it’s best you get the new certificate and credentials as soon as possible; you can incorporate these in the key-store and the application, when you are ready to do so.
If you have questions, please email us at email@example.com or post in the community forum. If you have an application in Production or Certification environment, you can work with your local designated Visa contact.