API Certificate
API Certificate Definition
An API certificate is used to identify merchants, which contains information such as merchant ID, and the serial number and validity period of the certificate.
This certificate should be issued by the Certificate Authority (CA) to prevent forging and tampering.
API Certificate Types
Depending on the type of the CA, there are two types of API certificates:
1.API certificates issued by WeChat Pay: The certificate and secret files can be directly downloaded from the Merchant Platform
2.API certificates issued by CA: An API certificate is obtained by downloading the certificate tool to generate the certificate
request string and submitting the request string to the Merchant Platform. The secret file can only be exported with the certificate tool. Download a CA certificate:
For Windows: Download
For MAC:Download
API Certificate Application
An API certificate is required for WeChat Pay APIs with a higher level of security (such as Refund, Company Red Packet, and Company Payment).
API Certificate Acquisition
Only the super administrator of the Merchant ID can get an API certificate.
Path: Merchant Platform > "Account Center" > "Account Setting" > "API Security"
Here are the detailed steps::
1.The appearance of the following page indicates that your CA certificate is "WeChat Pay issued". Click "Download" and operate as instructed.
2.The appearance of the following page indicates that your CA certificate is "CA issued". Click "Request Certificate" to apply for a certificate by following the instructions below.
2.1 Step 1 In "Merchant Platform" > "Submit request string", click "Download Certificate Tool".
Step 2 Download and open the file "WXCertUtil".
Step 3 Go to "Certificate Tool", click "Request Certificate", as shown below:
2.2 In "Certificate Tool" > "Enter merchant info", enter the merchant ID and the merchant name, click "Next" to view the merchant ID and the merchant name on the "Merchant Platform"
2.3 Step 1 In "Certificate Tool" > "Copy request string", click "Copy".
Step 2 n "Merchant Platform" > "Submit request string", paste the request string you copied into the input box.
Step 3 Enter the "SMS Code" and "Login password".
Step 4 Click "Next" to go to "Merchant Platform" > "Copy certificate string".
2.4 Step 1 In "Merchant Platform" > "Copy certificate string", click "Copy"
Step 2 In "Certificate Tool" > "Copy request string", click "Next" to go to "Paste certificate string".
Step 3 In "Certificate Tool" > "Copy certificate string", click "Paste".
Step 4 Click "Next" to go to "Certificate Tool" > "Generate certificate".
2.5 In "Certificate Tool" > "Generate certificate", the certificate request is successful. Click "View folder" to check the generated certificate file.
2.6Transfer the generated certificate file to the developer to deploy the certificate onto the server.
Note: Please properly keep the certificate and the secret, because the secret file can only be exported through the certificate tool. The secret cannot be retrieved once lost.
API Certificate Renew
The merchant API certificate is valid for 1 year by default, which, after expiration, must be renewed by the merchant to resume the use of the platform APIs.
How to renew: :
1.Log in to the Merchant Platform Log in
2.The certificate is about to expire: The Merchant Platform will notify the merchant of the renewal via SMS message, email, and Official Account message 60 days before the certificate expires.
Renew:
2.1 Path: Merchant Platform > "Account Center" > "API Security"
2.2 Click "Renewal" on the page as instructed to renew the certificate for another year. See the image below:
2.3 Any certificate that has been used for 5 years cannot be renewed. "Change" the certificate as instructed on the page.
3.The certificate has expired:If the original certificate has expired (which is not renewed within the renewal period), the merchant will be notified of the expiration via SMS message, email, and Official Account message on the expiration date.
3.1 Path: Merchant Platform > "Account Center" > "API Security"
3.2 The merchant can "Upgrade" the certificate for another year within one month of expiration.
3.3 The merchant can only "Change" the certificate after one month of expiration. The new certificate is valid for one year.
4. The operating certificate is not installed:
If you have not installed an operating certificate, install one first. After the certificate is installed, go to "Account Setting" > "API Security" to complete the certificate renewal. Please refer to "operation certificate guide"
API Certificate Upgrade Guide (for developers)
API certificate Definition
An API certificate is required when a developer is calling WeChat Pay APIs with a higher level of security (such as Refund, Company Red Packet, and Company Payment).
API Certificate Types
1.An API certificate is used to identify merchants. Depending on the type of the CA, there are two types of API certificates:
1.1 API certificates issued by WeChat Pay. The certificate and secret files can be directly downloaded from the Merchant Platform.
1.2 API certificates issued by CA. An API certificate is obtained by downloading the certificate tool to generate the certificate request string and submitting the request string to the Merchant Platform. The secret file can only be exported with the certificate tool.
2.API Certificate Differentiation Method
Use the certificate parsing tool,to view the certificate content.
3.API Certificate Differences
| Certificate field | API certificates issued by WeChat Pay | API certificates issued by CA |
|---|---|---|
| Certificate issuer | MmpaymchCA | Tenpay.com Root CA |
| Certificate serial number | A string less than 20 bytes | A string with 40 bytes |
| Certificate's CN field | Merchant's company name | Merchant ID using 8 to 10 digits |
| Certificate's trust chain | File: CertTrustChainWX.p7b MD5 digest:c91ddfb6e9f0533e9a78dcdc89ca1080 SHA256 digest:c826a1c900d445c372fff25968988 c002493688c491c8e66cc8276a17003a12e |
File : CertTrustChain.p7b MA5 digest:77e0db6559b07624f538b1acf4ad81ca SHA256 digest:fc4ef43a7fb2b08263345453e5629 7daf998a5dac6c501b38eb2df18a55f6a13 |
FAQ
Q:Why do I need to upgrade the API certificate??
A:In June 2018, WeChat Pay began to promote the use of API certificates issued by the CA. The original certificates issued by WeChat Pay can be directly upgraded to those issued by the CA. Upgraded certificates have these advantages:
1.Wider application: The upgraded certificates are applicable to Refund API, Company Payment API, and other APIs that require two-way authentication, as well as APIs used for encrypted transmission of sensitive data.
2.Improved compatibility: After upgrade, the old certificates remain valid within 48 hours without business interruption.
Q:How do I upgrade the API certificate?
A:Follow the steps below to upgrade a merchant's API certificate:
Step 1:The super administrator of the Merchant ID logs in to the Merchant Platform to upgrade the certificate and get the CA-issued API certificate. (See guidelines)
Step 2: The super administrator transfers the CA-issued API certificate (including a certificate file in pkcs12 format, a certificate file in pem format, and a secret in pem format) to the developer.
Step 3: The developer replaces the API certificate originally issued by WeChat Pay on the server with the new file, without the need to modify the code of the existing system.
Note
Once upgraded to the CA-issued API certificate, the WeChat Pay-issued API certificate will expire in 14 days. Be sure to replace the old certificate on the server with the new one as soon as possible to avoid compromise to online transactions. In addition, please properly keep the certificate and the secret, because the secret file can only be exported through the certificate tool. The secret cannot be retrieved once lost.
