Renew or Replace XiSecure Certificate

• Renewal key points

• Renew a client certificate about to expire

• Create new certificate to replace existing one

The certificate expiration data displays on the XiSecure page in Merchant Portal. You can easily check the expiration from the certificate file itself by double-clicking on it.

Renewal key points

• XiSecure certificate expiry email notifications are sent each Monday morning at 10:10am CT to Approving Managers, Portal Admins, and users with the Onboarding Edit role if the Client has either a QA or Production certificate expiring within the next 60 days.

• Once the request is processed, you must log back into the Merchant Portal, download the new certificate and apply the new certificate in all applicable source systems BEFORE the original one expires or a loss of service will occur.

• Allow enough time before the expiration date to remedy any problems that may occur.

• Billable consulting will be applied if Paymetric assistance is needed with generating and applying the renewed certificates on your origination systems.

• The new certificate will be backwards compatible with existing tokens. The old certificate will be automatically retired on the day of the expiration.

Renew a client certificate about to expire

Follow the steps below to perform certificate renewal:

1. In the Merchant Portal, go to menu path Settings > XiSecure.

2. Click renew certificate for the appropriate environment.

3. The workflow status for the environment changes from "Complete" to "Requested". Note that the expiration date remains the same until the request is processed by Paymetric.

4. Once the request is processed, a notification email is sent to the Approving Manager(s).

   1. The AM can download the certificate. - OR -

   2. Should forward the notification to the individual with the Onboarding Edit role.

5. The Approving Manager or Onboarding Edit role logs into the Merchant Portal and navigates to the XiSecure page.

   It is important that the following steps are performed prior to the certificate expiration date to avoid tokenization failures. The Approving Manager can either download the certificate or if they have designated someone with just the Onboarding Edit role, can forward the notification that the new certificate is available.

   The Approving Manager role is currently the only one that receives the notifications.

6. Click on the *.pem filename under the appropriate environment to download the new signed certificate.

   

7. Rename the existing certificate to invalidate it and save as temporary backup. (oldMyCert.pem for example)

8. Apply the updated certificate (SAP or Web Service Integrations)

   For Paymetric Adapter for SAP (PAS) integrations:

   1. Place the updated Client Certificate (MyCert.pem) in the same directory where existing certificates reside (usually c:\certs).

      If the updated .pem has a different filename from the expiring .pem you must modify your PAS configuration.

      1. In the PAS console, click the XiSecure Program ID.

      2. Click the Browse button next to the Client Certificate field.

      3. Select the updated .pem file.

   2. In the PAS console, click the Update button at the lower right of the screen. Click the Save icon at the top left of the screen.

   3. Restart the XiSecure services from within PAS configuration console.

   4. Validate the connection to Paymetric (Paymetric) Data center via the blue button (double arrows) button.

      For Web Service integrations:

      Apply the new certificates the same way your current certificates are applied. Billable consulting will be applied if Paymetric assistance is needed with generating and applying the renewed certificates on your origination systems.

      Ensure that the newest certificate is being referenced. If the old certificate is cached, once it expires you will receive a WSE511: Invalid to use the security token error message.

9. Validation:

   For Paymetric Adapter for SAP (PAS) integrations:

   1. Check that the RFC connectivity from SAP is successful on all Program ID's (Authorization, Settlement and Tokenization for this environment). Utilize the SAP Transaction code SM59 to perform this test.

   2. Validate that all requests (Authorization, Settlement and Tokenization) are working correctly from an SAP standpoint:

      1. Test Authorizations via sales order creation, A/R clearing, or via the available Authorization simulation tool in the PCMA Menu.

      2. Test Settlement via settlement submission from SAP (this will vary based on your workflow) or via the available Settlement simulation tool in the PCMA Menu.

      3. Test Tokenization via the Simulate Encryption tool in the XiSecure BIMG.

         For Web Service integrations:

         Have users validate that Authorization, Settlement and Tokenization functionality is present from all WebServices origination points as applicable. Contact your Web developers/integrators if you require assistance with configuring the XiSecure Client Certificate.

         Remember to backup and store your certificates in a secure location. Ensure all applications/or systems using the certificate are updated to avoid tokenization interruptions. It is the responsibility of the Merchant to ensure all originating systems that utilize the certificate are updated before the original certificate expires which will cause a loss of service.

Create new certificate to replace existing one

Remember that a certificate only needs to be replaced using a new CSR if the private key password is forgotten or potentially compromised. If the certificate is about to expire, it only needs to be renewed.

1. Create a new certificate signing request (CSR) and private key. For more information, see Create CSR.

   The Private key and private key password must never be shared with Paymetric nor the System Integrator. It should be generated by the Merchant. The Private key and private key password must be secured to maintain the integrity of the customer's tokenization security keys.

2. Submit the only CSR file to the Paymetric Support team by zipping and attaching the file to a support ticket.

   Do NOT send the Private Key that was generated when creating the CSR. Instead, move the Private Key to the existing certificate directory.

3. Paymetric will sign this .csr file and will create a new Client Certificate file with a .pem file extension. You will receive an email notification that the certificate is ready for download from the Merchant Portal.

4. Log into the Merchant Portal and go to Settings > XiSecure. It is important that the following steps are performed prior to the certificate expiration date to avoid tokenization failures.

5. Click the *.pem file name under the appropriate environment to download the new signed certificate.

   

6. Place the Paymetric generated Client Certificate in the appropriate directory on your server. Place the Client Certificate in the same directory where existing certificates reside (usually c:\certs).

7. Place the Private Key in the appropriate directory on your server. Place the Private Key in the directory where existing certificates reside (usually c:\certs). The Private Key was generated when the .csr was created.

8. Configure new certificate (SAP or Web Service Integrations).

   For Paymetric Adapter for SAP (PAS) integrations:

   1. Execute the PAS Configuration GUI Console.

   2. Click the XiSecure Program ID.

   3. Click Browse next to the Client Certificate field.

   4. Select the new .pem file.

   5. Click Browse next to the Client Private Key field.

   6. Select the Private Key file that was generated during the .csr creation.

   7. In the Client Private Key Password field enter the Private Key password you chose during the .csr creation.

   8. Click Update at the lower right of the screen. Click the Save icon at the top left of the screen.

   9. Restart the XiSecure services from within PAS configuration console.

   10. Validate the connection to Paymetric Data center via the blue button (double arrows) button.

       For Web Service integrations:

       Apply the new certificates the same way your current certificates are applied. Paymetric can provide guidance in applying the certificate to the PAS server only.

       Ensure that the newest certificate is being referenced. If the old certificate is cached, once it expires you will receive a WSE511: Invalid to use the security token error message.

9. Validation:

   For Paymetric Adapter for SAP (PAS) integrations:

   1. Check that the RFC connectivity from SAP is successful on all Program ID's (Authorization, Settlement and Tokenization for this environment). Utilize the SAP Transaction code SM59 to perform this test.

   2. Validate that all requests (Authorization, Settlement and Tokenization) are working correctly from an SAP standpoint:

      1. Test Authorizations via sales order creation, A/R clearing, or via the available Authorization simulation tool in the PCMA Menu.

      2. Test Settlement via settlement submission from SAP (this will vary based on your workflow) or via the available Settlement simulation tool in the PCMA Menu.

      3. Test Tokenization via the Simulate Encryption tool in the XiSecure BIMG.

         For Web Service integrations:

         Have users validate that Authorization, Settlement and Tokenization functionality is present from all WebServices origination points as applicable. Contact your Web developers/integrators if you require assistance with configuring the XiSecure Client Certificate.

         Remember to backup and store your certificates in a secure location. Ensure all applications/or systems using the certificate are updated to avoid tokenization interruptions. It is the responsibility of the Merchant to ensure all originating systems that utilize the certificate are updated before the original certificate expires which will cause a loss of service.