Create an Apple Pay payment processing certificate

In this tutorial, you'll create an Apple Pay payments processing certificate that's registered in both your Apple Developer account and the Shopify admin. The certificate allows Shopify to act as a payments processor for iOS Apple payments, which involves decrypting the PassKit payment data generated after a user authorizes a payment.

If you're familiar with setting up Apple Pay certificates already, then you'll notice some similarities to the process detailed in Apple's docs. However, there are differences in how the certificate is generated. For example, Shopify generates a unique Certificate Signing Request (CSR), rather than you creating one using keychain, and the resulting certificate needs to be uploaded using the REST Admin API.

Anchor to What you'll learnWhat you'll learn

In this tutorial, you'll learn how to do the following tasks:

• Create an ApplePayCertificate resource using the REST Admin API.
• Wait for the certificate to transition from "issuing" into "csr" status.
• Retrieve the base64 encoded Certificate Signing Request (CSR).
• Decode the certificate and upload to Apple for encryption.
• Download the encrypted version of the certificate from Apple.
• Encode the encrypted version and upload it to Shopify using the REST Admin API.
• Activate the certificate (optional).

Anchor to RequirementsRequirements

You need to set up the following environment variables before you can run scripts. Paste the following code in your terminal, and replace the values in angled brackets. Refer to the table that follows the code for the correct values.

Variable	Description	Read-only?
STOREFRONT_DOMAIN	The domain of your store without trailing /. For example, https://store.myshopify.com.	No
MERCHANT_ID	A unique identifier for Apple to identify your business as a merchant able to accept payments. Located within your Xcode project under Signing & Capabilities > Apple Pay > Merchant IDs. If this isn't setup yet, then you can create one.	No
API_VERSION	Version of the REST Admin API to target. Refer to: REST Admin API reference.	No
ADMIN_API_ACCESS_TOKEN	Located within the store settings: Settings > Apps & Sales Channels > Develop Apps > API Credentials > Admin API access token. Only store admins can access this value.	Yes

Anchor to Step 1: Create an Apple Pay resourceStep 1: Create an Apple Pay resource

To begin, you need to generate a new certificate resource, as the certificate won't be immediately available. The response should indicate it's issuing. In this step, you'll check whether the certificate has finished issuing so that you can retrieve the Certificate Signing Request (CSR).

Anchor to Step 2: Retrieve an Apple Pay certificateStep 2: Retrieve an Apple Pay certificate

You can check on the progress of the certificate creation with the following GET request.

If the response shows "status":"csr", then you can move on to the next step.

Anchor to Step 3: Retrieve a Certificate Signing Request (CSR)Step 3: Retrieve a Certificate Signing Request (CSR)

In this step, you'll do the following work to manipulate the data:

• Add new line escape sequences to escape with tr.
• Extract the JSON data with jq.
• Decode the data from base64 and save it to the apple_payment_processing.csr file. This is the file that you'll later upload to Apple.

Anchor to Step 4: Upload a Certificate Signing Request (CSR) to AppleStep 4: Upload a Certificate Signing Request (CSR) to Apple

Complete the following steps:

1. Log in to your Apple Developer account.
2. Under Certificates, Identifiers & Profiles, click the "+" button to create a new certificate.
3. Select the checkbox for Apple Pay Payment Processing Certificate.
   If this is the first certificate you're creating, then you'll be redirected to the creation page, otherwise you might encounter the following page. The Apple Pay Payment Processing Certificate section is the only area you need to focus on. The other sections are for setup on the web.

1. Select Create Certificate and upload the apple_payment_processing.csr file from the previous step in the form.

2. Download the encrypted version of the certificate. The filename is apple_pay.cer.

3. Store the file somewhere securely as you'll upload this file in the next step using the REST Admin API.

Anchor to Step 5: Upload the encrypted certificate using the REST Admin APIStep 5: Upload the encrypted certificate using the REST Admin API

After reading the file into a variable, you can upload it to the REST Admin API with the following commands:

Anchor to Step 6: (Optional) Activate the certificateStep 6: (Optional) Activate the certificate

This step isn't necessary if you're only creating your first certificate, as it will default to active. Only subsequent certificates that you create will start as inactive until explicitly activated. This prevent interruptions of service if your application is in production.

1. Return to the page where the certificate was downloaded from Apple. The URL is: https://developer.apple.com/account/resources/certificates/download/<CERTIFICATE_ID>)

2. Activate the certificate. The modal popup will warn that this should only be performed if this certificate has been setup for payment processing, so unless you missed steps above you can select to activate again.

Anchor to Limitations and considerationsLimitations and considerations

• The payment processing certificate expires every 25 months. You can perform these steps again in order to configure a backup certificate to prevent interruptions of service.
• The merchant identity certificate is only required for Web, and not apps. Refer to Configure Apple Pay capabilities for more information.