- ●When the "Interface for downloading platform certificates" is called, "SIGN_ERRO, Illegal authorization" is returned.
-
Please check against the following items:
1. Please check if the parameter format of the signature string complies with the requirements in the document.
2. Please note the line break requirement at the end of the parameter in the document, if the body is empty, two \n line breaks have to be used.
- ●Why can the old certificate still initiate the v2 interface when the certificate was replaced with one with a foreign agency number?
-
The old certificate could still initiate the v2 interface when the certificate was replaced with one using a foreign agency number because of the following reasons:
1. A period of transition is needed as the invalidation is not immediate.
2. A 14-day transition period is offered for replacing CA with self-signature, and a 48-hour transition period is offered for replacing CA with CA.
- ●Why can't I find the certificate in the specific directory for payment API certificate upgrade tool when using the official generation tool in Mac?
-
It is only supported by windows version.
It is recommended that you use Window7 systems and above.
- ●After the platform certificate is obtained and decrypted, and the sensitive field is encrypted, the java code will prompt the invalid key format
-
Problem lies in reading the certificate and getting the public key. Check if the type used is deprecated in the new version jdk. For example, the jdk9 is deprecated
- ●How Can We Check the Certificate Serial Number?
-
Log in to the merchant platform Account Settings > API Security > API Certificate to check the merchant API certificate serial number.
Both the merchant API certificate and WeChat Pay platform certificate parsing toolcan be checked via the third-party certificate.parsing tool You can also use the openssl command line tool to check the certificate serial number.$ openssl x509 -in 1900009191_20180326_cert.pem -noout -serial serial=1DDE55AD98ED71D6EDD4A4A16996DE7B47773A8C
- ●How to Load the Certificate in the Program?
-
We recommend using the SDK provided by WeChat Pay. You can also view the sample codes in the following programming languages.
/** * 获取证书。 * * @param filename 证书文件路径 (required) * @return X509证书 */ public static X509Certificate getCertificate(String filename) throws IOException { InputStream fis = new FileInputStream(filename); BufferedInputStream bis = new BufferedInputStream(fis); try { CertificateFactory cf = CertificateFactory.getInstance("X509"); X509Certificate cert = (X509Certificate) cf.generateCertificate(bis); cert.checkValidity(); return cert; } catch (CertificateExpiredException e) { throw new RuntimeException("证书已过期", e); } catch (CertificateNotYetValidException e) { throw new RuntimeException("证书尚未生效", e); } catch (CertificateException e) { throw new RuntimeException("无效的证书文件", e); } finally { bis.close(); } }
- ●Why is Platform Certificate only Available Through API Download?
-
The main purpose is to avoid affecting merchants' use of various WeChat Pay functions when the platform certificate is being replaced. WeChat Pay will replace the platform certificate in the following scenarios:
1. The certificate must be replaced when it expires. (Currently five years)
2. Replace the certificate routinely before it expires. (Once a year)
- ●Why Does the Platform Certificate Returned by the Platform Certificate Download API Need to be Encrypted?
-
Mainly to prevent "man-in-the-middle attacks."
The platform certificate must be used to verify the signature of the response message and encrypt sensitive information. The platform certificate is the most critical element for merchants to authenticate WeChat payment. Therefore, multiple mechanisms, such as signature and encryption, must be adopted to ensure that the platform certificates obtained by the merchant have not been tampered with by "man-in-the-middle".
Merchants should perform the following four steps when calling the download API and obtaining the platform certificates to ensure the authenticity of the certificates:
1. Use the symmetric key shared with the platform to decrypt the certificate in the message (required).
2. Verify the signature of the message by decrypting the certificate (required).
3. Use the certificate viewing tool to ensure that the certificate is issued by Tenpay.com Root CA.
4. Verify the platform certificate through the certificate trust chain (highly recommended).
- ●How Can We Verify the Platform Certificate Through the Certificate Trust Chain?
-
The following describes how the openssl tool can be used to verify the platform certificate through the certificate trust chain.
First, download the platform certificate trust chain CertTrustChain.p7b from the WeChat Pay merchant platform and convert it to the pem certificate format.
openssl pkcs7 -print_certs -in CertTrustChain.p7b -inform der -out CertTrustChain.pemThen,
-CAfilefile file will specify the trusted certificate to verify the downloaded platform certificate.openssl verify -verbose -CAfile ./CertTrustChain.pem ./WeChatPayPlatform.pem
- ●Why Did the "HTTP header lacks WeChat Pay platform certificate serial number (Wechatpay-Serial)" Error Occur?
-
Merchants used WeChat Pay platform public key encryption when sending sensitive information. In order to use the correct key for decryption, WeChat Pay requires merchants to include the certificate serial number in the HTTP header of the request to declare the key pair and platform certificate used for encryption. Please refer toPrivate key and certificatefor details.
