Skip to main content

Create an Apple Pay payment processing certificate

In this tutorial, you'll create an Apple Pay payments processing certificate that's registered in both your Apple Developer account and the Shopify admin. The certificate allows Shopify to act as a payments processor for iOS Apple payments, which involves decrypting the PassKit payment data generated after a user authorizes a payment.

If you're familiar with setting up Apple Pay certificates already, then you'll notice some similarities to the process detailed in Apple's docs. However, there are differences in how the certificate is generated. For example, Shopify generates a unique Certificate Signing Request (CSR), rather than you creating one using keychain, and the resulting certificate needs to be uploaded using the REST Admin API.


In this tutorial, you'll learn how to do the following tasks:

  • Create an ApplePayCertificate resource using the REST Admin API.
  • Wait for the certificate to transition from "issuing" into "csr" status.
  • Retrieve the base64 encoded Certificate Signing Request (CSR).
  • Decode the certificate and upload to Apple for encryption.
  • Download the encrypted version of the certificate from Apple.
  • Encode the encrypted version and upload it to Shopify using the REST Admin API.
  • Activate the certificate (optional).

You need to set up the following environment variables before you can run scripts. Paste the following code in your terminal, and replace the values in angled brackets. Refer to the table that follows the code for the correct values.

Set up environment variables

ADMIN_API_ACCESS_TOKEN="<ADMIN_API_ACCESS_TOKEN>" \
STOREFRONT_DOMAIN="<SHOP_DOMAIN>" \
API_VERSION="2025-01" \
MERCHANT_ID="<APP_BUNDLE_ID>"
VariableDescriptionRead-only?
STOREFRONT_DOMAINThe domain of your store without trailing /. For example, https://store.myshopify.com.No
MERCHANT_IDA unique identifier for Apple to identify your business as a merchant able to accept payments. Located within your Xcode project under Signing & Capabilities > Apple Pay > Merchant IDs. If this isn't setup yet, then you can create one.No
API_VERSIONVersion of the REST Admin API to target. Refer to: REST Admin API reference.No
ADMIN_API_ACCESS_TOKENLocated within the store settings: Settings > Apps & Sales Channels > Develop Apps > API Credentials > Admin API access token. Only store admins can access this value.
Storefront Admin UI
Yes

Anchor to Step 1: Create an Apple Pay resourceStep 1: Create an Apple Pay resource

To begin, you need to generate a new certificate resource, as the certificate won't be immediately available. The response should indicate it's issuing. In this step, you'll check whether the certificate has finished issuing so that you can retrieve the Certificate Signing Request (CSR).

Create an Apple Pay resource

POST - $STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates.json

APPLE_PAY_CERTIFICATE_ID=$(curl --request POST "$STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates.json" \
--header "X-Shopify-Access-Token: $ADMIN_API_ACCESS_TOKEN" \
| jq .apple_pay_certificate.id);

echo "APPLE_PAY_CERTIFICATE_ID =" $APPLE_PAY_CERTIFICATE_ID

Output

APPLE_PAY_CERTIFICATE_ID = 1234

Anchor to Step 2: Retrieve an Apple Pay certificateStep 2: Retrieve an Apple Pay certificate

You can check on the progress of the certificate creation with the following GET request.

If the response shows "status":"csr", then you can move on to the next step.

Retrieve an Apple Pay certificate

GET - $STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID.json

curl "$STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID.json" \
--header "X-Shopify-Access-Token: $ADMIN_API_ACCESS_TOKEN" \
| jq .

Output

{
"apple_pay_certificate": {
"id": 1234,
"status": "csr",
"merchant_id": null
}
}

Anchor to Step 3: Retrieve a Certificate Signing Request (CSR)Step 3: Retrieve a Certificate Signing Request (CSR)

In this step, you'll do the following work to manipulate the data:

  • Add new line escape sequences to escape with tr.
  • Extract the JSON data with jq.
  • Decode the data from base64 and save it to the apple_payment_processing.csr file. This is the file that you'll later upload to Apple.

Retrieve a Certificate Signing Request (CSR)

GET - $STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID/csr.json

curl "$STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID/csr.json" \
--header "X-Shopify-Access-Token: $ADMIN_API_ACCESS_TOKEN" \
| tr -d \\n \
| jq -r .csr.key \
| openssl base64 -a -d -out apple_payment_processing.csr;

command cat apple_payment_processing.csr

Output

-----BEGIN CERTIFICATE REQUEST-----
MIIBQtcb6AIBADCBhTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMQ8wDQYDVQQH
EwZPdHRhD2eXedaobGNVBAoMB1Nob3BpZnkxETAPBgNVBAsMCFBheW1lbnRzMRAw
DgYDVQQDDAdTaG9waWz5mseWhWyjkOzIhvcNAQkBDBJhZG1pbnNAc2hvcGlmeS5j
b20wWTATBgcqhkjOPQIBBggqhkjOPQMbbWncaas7Zyut/WMsHOERhUXNigv5X0Jk
VvIxuAriMxOIkNhPASsTbjxZGsLmqyv5Td+WrxJ45HeQraashdfgahgiauvCoAAw
CgYIKoZIzj0EAwIDSAAwRQIhAK1lbDqq/VNQbSQqCtLgClZmR/98vjsVhoh2ZwKE
13gLAiB2Pn6eKA1V2XZ+0wxoTpyzBrBeTaoABYiJnbqmTWWG3Q==
-----END CERTIFICATE REQUEST-----

Anchor to Step 4: Upload a Certificate Signing Request (CSR) to AppleStep 4: Upload a Certificate Signing Request (CSR) to Apple

Complete the following steps:

  1. Log in to your Apple Developer account.
  2. Under Certificates, Identifiers & Profiles, click the "+" button to create a new certificate.
  3. Select the checkbox for Apple Pay Payment Processing Certificate.
    If this is the first certificate you're creating, then you'll be redirected to the creation page, otherwise you might encounter the following page. The Apple Pay Payment Processing Certificate section is the only area you need to focus on. The other sections are for setup on the web.
Caution

Make sure you don't create the certificate under Apple Pay Merchant Identity Certificate, which is only used for Apple Pay on the web.

Apple Developer Portal
  1. Select Create Certificate and upload the apple_payment_processing.csr file from the previous step in the form.

  2. Download the encrypted version of the certificate. The filename is apple_pay.cer.

  3. Store the file somewhere securely as you'll upload this file in the next step using the REST Admin API.

Apple Developer Portal
Note

If this is the second certificate you created, then leave this page open as you'll be returning to it to activate the certificate after its uploaded.


Anchor to Step 5: Upload the encrypted certificate using the REST Admin APIStep 5: Upload the encrypted certificate using the REST Admin API

After reading the file into a variable, you can upload it to the REST Admin API with the following commands:

Upload encrypted certificate using the REST Admin API

PUT - $STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID.json

ENCRYPTED_CERTIFICATE="$(openssl base64 -a -A -e -in apple_pay.cer)";

curl --request PUT "$STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID.json" \
--header "X-Shopify-Access-Token: $ADMIN_API_ACCESS_TOKEN" \
--header "Content-Type: application/json" \
--data "{
\"apple_pay_certificate\": {
\"id\": \"$APPLE_PAY_CERTIFICATE_ID\",
\"status\": \"completed\",
\"merchant_id\": \"$MERCHANT_ID\",
\"encoded_signed_certificate\": \"$ENCRYPTED_CERTIFICATE\"
}
}" \
| jq .

Output

{
"apple_pay_certificate": {
"id": 1234,
"status": "completed",
"merchant_id": "<MERCHANT_ID>"
}
}

Anchor to Step 6: (Optional) Activate the certificateStep 6: (Optional) Activate the certificate

This step isn't necessary if you're only creating your first certificate, as it will default to active. Only subsequent certificates that you create will start as inactive until explicitly activated. This prevent interruptions of service if your application is in production.

  1. Return to the page where the certificate was downloaded from Apple. The URL is: https://developer.apple.com/account/resources/certificates/download/<CERTIFICATE_ID>)

  2. Activate the certificate. The modal popup will warn that this should only be performed if this certificate has been setup for payment processing, so unless you missed steps above you can select to activate again.

Caution

If your app is already in production, then make sure you've completed the prior steps of uploading the encrypted certificate to Shopify. Failure to do so might cause service interruptions if your store is already live and processing Apple Pay transactions.

Activate Certificate Modal

Anchor to Limitations and considerationsLimitations and considerations

  • The payment processing certificate expires every 25 months. You can perform these steps again in order to configure a backup certificate to prevent interruptions of service.
  • The merchant identity certificate is only required for Web, and not apps. Refer to Configure Apple Pay capabilities for more information.

Was this page helpful?