✅ IMPORTANT: You need two things from the beginning
1. The Merchant Identity Certificate
File: merchant_identity.cer
Downloaded from Apple’s developer portal.
2. The private key that matches this certificate
This key is created on YOUR machine when you generate the Certificate Signing Request (CSR).
If you do not have the private key anymore,
you must revoke the certificate and generate a new one.
You cannot reconstruct the key from Apple’s .cer.
✅ Step 1 — Convert the .cer to PEM format
Apple’s .cer file is in X.509 / DER format.
Convert it to PEM:
sh
Copy code
openssl x509 -in merchant_identity.cer -inform der -out merchant_identity_cert.pem -outform pem
This creates:
Copy code
merchant_identity_cert.pem
This is the public certificate in PEM format.
✅ Step 2 — Extract the private key (if you have it inside a .p12 file)
When you generated the certificate inside Keychain Access,
you probably exported it to a .p12:
Example file: merchant_identity.p12
To extract the private key:
sh
Copy code
openssl pkcs12 -in merchant_identity.p12 -nocerts -out merchant_identity_key.pem
This will ask for:
The password you set when exporting the .p12
A new password to protect the PEM key (you can remove it later)
If you want to remove the password from the key:
sh
Copy code
openssl rsa -in merchant_identity_key.pem -out merchant_identity_key_unencrypted.pem
mv merchant_identity_key_unencrypted.pem merchant_identity_key.pem
🚨 Important Clarification
If you never exported a .p12
and you only have merchant_identity.cer,
you do not have the private key.
The certificate is useless for server authentication without its private key.
Apple Pay merchant validation requires:
css
Copy code
curl \
--cert merchant_identity_cert.pem \
--key merchant_identity_key.pem
So if you lost the key → create a new certificate.
🎯 Summary
File You Have What It Contains What You Generate
merchant_identity.cer Public cert (DER) merchant_identity_cert.pem
merchant_identity.p12 Public cert + private key merchant_identity_key.pem
CSR file Key request Not used again