Apple Pay Merchant Identifier missing edit link

It's time for me to update my Apple Pay merchant identity and payment processing certificates. The first step is to go to the Certificates, Identifiers and Profiles page and edit the appropriate certificate, but none of them have an edit link, either on the listing or when I click through, despite being signed in with the account that created and owns the certificates. I can download, I can revoke, but I cannot edit.

All the guidance online, published by Apple and anywhere else, as far as I can tell, talks about editing your certificate entries on the Certificates, Identifiers and Profiles page.

Has anyone else seen this and is there a solution? Creating new identities is a much more involved process than simply renewing a certificate, so I'm keen to avoid going down that route.

Many thanks.
Answered by Systems Engineer in 613149022
The Merchant / Payment Service Provider should be able to support 2 concurrent Certs / Key on their system at a time.

The update process should be something like the following:
  1. Merchant / Payment Service Provider requests and generates a new key pair.

  2. Merchant / Payment Service Provider generate a CSR using key from step 1.

  3. Merchant uploads CSR to to their Apple Merchant ID.

  4. Apple Developer Account generates the Payment Processing Certificate. At this stage the new keys / certificate are dormant on the Apple Developer account, ready to be activated.

  5. Merchant downloads the new Payment Processing Certificate (and provides it to their Payment Service Provider for decryption). The Merchant/PSP should now have two active Cert / Key pairs on the platform.

  6. Merchant activates the new Cert / Key pairs within the Apple Developer Account and this triggers the new keys to be propagated to our data centres and will be used for all new transactions.

  7. Merchant / PSP checks the publicKeyHash for each transaction to identify the appropriate private key to use for decryption.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
I went through and created a test Merchant Identity Certificate, and I do see an option to create an additional Merchant Identity Certificate before existing certificate expires. For example, "Create an additional certificate to use for this Merchant ID." It sounds like your concern is that creating an additional Merchant Identity Cert and deploying it before your existing certificate expires would cumbersome. Is that correct? However, for certificate renewal, no matter what type of certificate we are taking about, there typically is a redistribution process of the new certificate to update the expiration date on the server.

Creating new identities is a much more involved process than simply renewing a certificate, so I'm keen to avoid going down that route.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Accepted Answer
The Merchant / Payment Service Provider should be able to support 2 concurrent Certs / Key on their system at a time.

The update process should be something like the following:
  1. Merchant / Payment Service Provider requests and generates a new key pair.

  2. Merchant / Payment Service Provider generate a CSR using key from step 1.

  3. Merchant uploads CSR to to their Apple Merchant ID.

  4. Apple Developer Account generates the Payment Processing Certificate. At this stage the new keys / certificate are dormant on the Apple Developer account, ready to be activated.

  5. Merchant downloads the new Payment Processing Certificate (and provides it to their Payment Service Provider for decryption). The Merchant/PSP should now have two active Cert / Key pairs on the platform.

  6. Merchant activates the new Cert / Key pairs within the Apple Developer Account and this triggers the new keys to be propagated to our data centres and will be used for all new transactions.

  7. Merchant / PSP checks the publicKeyHash for each transaction to identify the appropriate private key to use for decryption.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Thanks Matt, much appreciated.
No problem! Once last thing I should note that I did find out is that it is possible to have 2 Merchant Identity Certificates active at one time for a Merchant Identifier.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Belated thank you - happy to say this worked perfectly. Easier than it was last time. Many thanks Matt.
Hey Matt,

I don't think Apple Pay supports multiple "active" payment processing certificates; as activating one certificate revokes the previous active.

"Activating this certificate will result in the revocation of all previous certificates generated for this Merchant Identifier. Certificate revocation will cause transaction failure within your app.."
Regarding:

"Activating this certificate will result in the revocation of all previous certificates
generated for this Merchant Identifier. Certificate revocation will cause transaction
failure within your app.."

I took a look around in the Developer Portal today; are you seeing this message when you have more than one Payment Service Provider? For example, in a situation where you have create two PSP Certificates, you have distributed these certificates to your Payment Server Providers, and are about to cut over to the new Certificate to process payments?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Apple Pay Merchant Identifier missing edit link
 
 
Q