---
title: "TN3206: Updating Apple Pay certificates"
framework: technotes
role: article
role_heading: Article
path: technotes/tn3206-updating-apple-pay-certificates
---

# TN3206: Updating Apple Pay certificates

Learn how to create, manage, and rotate Apple Pay certificates to maintain uninterrupted payment processing.

## Overview

Overview When you configure Apple Pay, you create a payment processing certificate to securely encrypt payment data. If you integrate Apple Pay on the Web, you also create an identity certificate to authenticate communication with Apple Pay servers. To get started with Apple Pay configuration, see Setting up Apple Pay. Both certificates are valid for 25 months and must be renewed before they expire to avoid disruptions to payment processing in your apps and websites. This document explains how to update—also referred to as rolling or rotating—your Apple Pay certificates with minimal disruption. Apple Pay credentials  |  |   |  |   |  |   |  |   |  |  Payment processing certificates Merchant identifiers and payment platform integrator identifiers support one active payment processing certificate at a time. When you activate a new payment processing certificate, Apple Pay servers begin using it to encrypt transactions. Whilst the newly created payment processing certificate is propagated across Apple Pay servers, some transactions may temporarily still be encrypted with the previous certificate’s public key. To handle this transition correctly, always check the publicKeyHash value in the payment token to determine which public key was used for encryption, then retrieve the corresponding private key from your keychain or keystore to decrypt the payment data. When the transition is complete, only the new public key will be used. For more information, see Payment token format reference. note: If your Payment Service Provider (PSP) performs decryption on your behalf, follow your PSP’s guidance on the process required to coordinate successful certificate rolling in their platform. To update your payment processing certificate, follow the sections below: Create a payment processing certificate Activate a payment processing certificate Use the public key’s hash to identify the correct private key Monitor and rotate your certificates Create a payment processing certificate A payment processing certificate is associated with your merchant identifier or payment platform integrator identifier and encrypts payment information for Apple Pay. Decryption can be handled by the merchant directly or delegated to their PSP. The decrypting party is responsible for generating the new keys and certificate signing request (CSR). They may also need the downloaded certificate after the enrollment process is complete. To create a payment processing certificate, use the following resources: Apple Developer Portal: Use Certificates, Identifiers & Profiles. App Store Connect API: Use Create a Certificate to create a certificate. For more information, see Managing merchant IDs and Payment Processing certificates. When generating the CSR for payment processing, use the appropriate key type for your region:  |   |   |  To manually create and download a new payment processing certificate: In Certificates, Identifiers & Profiles, click Identifiers. Under Identifiers, select Merchant IDs or Payment Platform Integrator IDs using the filter on the top right. On the right, select your merchant identifier or payment platform integrator identifier. Note: If a banner appears at the top of the page saying that you need to accept an agreement, click the Review Agreement button and follow the instructions before continuing. Under Apple Pay Payment Processing Certificate, click Create Certificate. The decrypting party should create a CSR. This can be done on a Mac using Keychain Access, or use a command-line tool such as OpenSSL or Java keytool. Click Choose File. In the dialog that appears, select your CSR file (*.certSigningRequest), then click Choose. Click Continue. Click Download to save the certificate file (*.cer). Activate a payment processing certificate Apple Pay payment decryption can be handled by the merchant directly or delegated to a PSP. If your PSP handles decryption, coordinate with them before activing a new payment processing certificate. Both parties must be fully prepared to use the updated credentials before you proceed—activating prematurely can interrupt payment processing in your apps and websites. To manually activate a payment processing certificate: In Certificates, Identifiers & Profiles, navigate to your merchant identifier or payment platform integrator identifier. Under Apple Pay Payment Processing Certificate, locate the new certificate. Click Activate. Once activated, Apple Pay servers immediately begin using the new certificate to encrypt transactions. important: Payment processing certificate activation is irreversible. Once you activate a new certificate, the previous certificate is immediately invalidated and cannot be restored. Use the public key’s hash to identify the correct private key During the transition period after activation, Apple Pay servers may use either the previous or new public key to encrypt transactions as the update propagates. Use the publicKeyHash value in the payment token’s header to determine which private key to use for decryption. Once you stop receiving the publicKeyHash value associated with the previous certificate, it’s safe to delete the previous private key from your keychain or keystore. For more information on payment token structure and decryption, see Payment token format reference. Identity certificates Merchant identifiers and payment platform integrator identifiers support up to three active identity certificates simultaneously. This allows you to create and validate a new certificate before revoking the previous one, ensuring uninterrupted connectivity with Apple Pay servers. To update your identity certificate, follow the sections below: Create an identity certificate Monitor and rotate your certificates Revoke an identity certificate Create an identity certificate Identity certificates require a CSR generated using an RSA 2048-bit key pair. To manually create and download a new identity certificate: In Certificates, Identifiers & Profiles, click Identifiers. Under Identifiers, select Merchant IDs or Payment Platform Integrator IDs using the filter on the top right. On the right, select your merchant identifier or payment platform integrator identifier. Note: If a banner appears at the top of the page saying that you need to accept an agreement, click the Review Agreement button and follow the instructions before continuing. Under the identity certificate section, click Create Certificate. Note: If the Create Certificate button is disabled, consider choosing an older, inactive certificate to revoke. Revoking an active certificate will immediately cause Apple Pay requests to fail. create a CSR on a Mac using Keychain Access, or use a command-line tool such as OpenSSL or Java keytool. Click Choose File. In the dialog that appears, select your CSR file (*.certSigningRequest), then click Choose. Click Continue. Click Download to save the certificate file (*.cer). Once downloaded, add the new certificate to your keychain or keystore. It can be used immediately to secure connections to Apple Pay servers. After you’ve confirmed the new certificate works as expected in your environment, revoke and delete the previous certificate from both the Certificates, Identifiers & Profiles and your keychain or keystore. Monitor and rotate your certificates To view the status and expiration date of each certificate, use the following resources: Apple Developer Portal: Use Certificates, Identifiers & Profiles. App Store Connect API: Use List and Download Certificates to find and list certificates, or Read and Download Certificate Information to retrieve details about a specific certificate. tip: Proactively renew certificates at least 30 days before expiration. Apple sends expiration reminder notifications to Account Holder and Admin roles 30, 15, and 7 days before a certificate expires. To ensure you receive all notifications, maintain up to date and accurate contact details for these roles. Certificates can be rotated manually in the Certificates, Identifiers & Profiles or programmatically using the Certificates. To learn more about programmatically rotating payment processing certificates, see Managing merchant IDs and Payment Processing certificates. Revoke an identity certificate You can revoke certificates in the following resources: Apple Developer Portal: Use Certificates, Identifiers & Profiles. App Store Connect API: Use Revoke a Certificate to revoke a specific certificate. To manually revoke an identity certificate: In Certificates, Identifiers & Profiles, click Identifiers. Under Identifiers, select Merchant IDs or Payment Platform Integrator IDs using the filter on the top right. On the right, select your merchant identifier or payment platform integrator identifier. Note: If a banner appears at the top of the page saying that you need to accept an agreement, click the Review Agreement button and follow the instructions before continuing. Under the identity certificate section, locate a certificate (preferably an inactive certificate) and click Revoke. Frequently asked questions Does updating certificates affect my merchant domain verification? No. Merchant domain verification is unrelated to the certificate update process. If my PSP handles decryption, can certificate updates cause payment failures? Yes, if updates aren’t coordinated in advance. Before updating your payment processing certificate, follow your PSP’s guidance on the process required to coordinate successful certificate rolling in their platform. Your PSP must provide you with a CSR to generate the new certificate, which confirms they hold the correct private key to perform decryption. Do merchant identifiers or payment platform integrator identifiers expire? No. Merchant identifiers and payment platform integrator identifiers don’t expire. Only their associated certificates expire and require renewal every 25 months. When should I activate a new payment processing certificate? Click the Activate button in the Certificates, Identifiers & Profiles when both you and your PSP have confirmed you’re ready to accept payments with the new credentials, and decrypt payloads using the updated private keys. Activation is immediate and irreversible. Can I revert to a previous payment processing certificate after activation? No. Activating a new certificate immediately invalidates the previous one. It cannot be reactivated or restored. What if my certificate expires during a scheduled code freeze? Renew your certificate before the code freeze begins so the new expiration date falls outside that time period. This ensures uninterrupted payment processing without requiring code changes during the scheduled code freeze. How far in advance should I renew my certificates? Renew your certificates at least 30 days before expiration to allow sufficient time for coordination with your PSP and validation in your environment before activation. Revision History 2026-03-12 First published.

## See Also

### Latest

- [TN3210: Optimizing your app for iPhone Mirroring](technotes/tn3210-optimizing-your-app-for-iphone-mirroring.md)
- [TN3211: Resolving SwiftUI source incompatibilities for State and ContentBuilder](technotes/tn3211-resolving-swiftui-source-incompatibilities-for-state-and-contentbuilder.md)
- [TN3212: Adopting gesture recognizers for Sidecar touch support](technotes/tn3212-adopting-gesture-recognizers-for-sidecar-touch-support.md)
- [TN3208: Preparing your app’s launch screen to meet App Store requirements](technotes/tn3208-preparing-your-apps-launch-screen-to-meet-app-store-requirements.md)
- [TN3205: Low-latency communication with RDMA over Thunderbolt](technotes/tn3205-low-latency-communication-with-rdma-over-thunderbolt.md)
- [TN3179: Understanding local network privacy](technotes/tn3179-understanding-local-network-privacy.md)
- [TN3190: USB audio device design considerations](technotes/tn3190-usb-audio-device-design-considerations.md)
- [TN3194: Handling account deletions and revoking tokens for Sign in with Apple](technotes/tn3194-handling-account-deletions-and-revoking-tokens-for-sign-in-with-apple.md)
- [TN3193: Managing the on-device foundation model’s context window](technotes/tn3193-managing-the-on-device-foundation-model-s-context-window.md)
- [TN3115: Bluetooth State Restoration app relaunch rules](technotes/tn3115-bluetooth-state-restoration-app-relaunch-rules.md)
- [TN3192: Migrating your iPad app from the deprecated UIRequiresFullScreen key](technotes/tn3192-migrating-your-app-from-the-deprecated-uirequiresfullscreen-key.md)
- [TN3151: Choosing the right networking API](technotes/tn3151-choosing-the-right-networking-api.md)
- [TN3111: iOS Wi-Fi API overview](technotes/tn3111-ios-wifi-api-overview.md)
- [TN3191: IMAP extensions supported by Mail for iOS, iPadOS, and visionOS](technotes/tn3191-imap-extensions-supported-by-mail.md)
- [TN3134: Network Extension provider deployment](technotes/tn3134-network-extension-provider-deployment.md)