Instructions for working with certificates
1. Preparation and login to your personal account
- Make sure you have the correct login credentials (username and password).
- Open your personal account at: https://merchant.alikassa.com/cabinet/login
- Log in to the system and go to the "Keys" tab in the main menu.
Security Council:
• Use a strong password and enable two-factor authentication if possible (2FA).
• Log in only from a trusted device and a secure internet connection.
2. Generating new API certificates
- In the "Keys" section, click the "Generate" button.
- Wait for the process to complete.
- The system will automatically create private and public keys.
• Keep your private key in a safe place. Its disclosure may lead to unauthorized access to your services.
• The public key will be used on the server side to verify the authenticity of requests.
3. Saving and updating keys on the server
- After generating the keys, click the "Save" button to save the new key pair in the system
- Make sure that the saving process went without errors and the system confirmed the successful key update
If your public key has already been used in another part of the integration, don't forget to update the settings in the code/configurations.
4. Updating keys in your app or code
- Replace the private key in your app/code with the newly generated one.
- Make sure that the saving process went without errors and the system confirmed the successful key update.
- If the integration requires a public key, update it as well.
- Restart the required services or perform the deployment procedure (if necessary).
Keep private keys encrypted (e.g. using a secret manager) and restrict access to them using the principle of least privilege.
Audit your repository regularly to ensure that outdated keys are not being used
5. Checking the correct operation
- Make a test request to your API using the new certificates.
- Verify that authentication and request signing are successful.
- If errors occur, check the server logs and configuration files of your application.
If a sandbox environment is available, perform all initial testing there.
For 401/403 errors (Unauthorized/Forbidden), double-check the signature and key match.
6. Additional recommendations
- Check out the official documentation to understand all the nuances of working with certificates and endpoints.
- Use separate key pairs for different environments (production and staging) to reduce the risk of leakage.
- Set up regular key rotation (e.g. quarterly) to minimize potential threats associated with long-term use of the same key pair.