The XiSecure web service uses client certificates to identify the source of the web service call. You generate a CSR which also generates a private key. The CSR is sent to B2B Payments. B2B Payments generates the signed client certificate (.pem file) which is downloaded from the Merchant Portal once it is processed.

You save the signed client certificate and the private key to a secure location on a machine to which your client application has access. These files are then referenced in the SOAP header of your web service calls for non-SAP implementations or in PAS for SAP implementations.

Prerequisite if replacing a certificate

Rename the existing certificate to invalidate it and save as temporary backup. (oldMyCert.pem for example)

How to create a CSR

Perform the following steps to generate the CSR and private key:


If any On-Demand Service for a given environment is a Requested state, then the top level status for the environment will indicate requested. See Onboarding Setup Request Statuses.

1.Obtain openssl.

Note: if running under Linux, then it is likely that openssl is already installed.

For Windows, download the full openssl installer from the following site:

Using Windows installs it in C:\OpenSSL by default.
Note that the openssl binary that referenced throughout the rest of the certificate creation process can be found in C:\OpenSSL\bin.
       After openssl is installed, the process to create a certificate is the same on both Windows and Linux.

2.Navigate to the desired folder where you want the certificate to reside.

3.To generate a private key and a client certificate signing request, execute the following command:

openssl req -new -out companyname_qa.csr -keyout companyname_qa.privkey.pem

Replace companyname_qa with the file name you want. It should represent your company name and environment.

4.You are prompted for a private key password. Enter a secure a password.

a.Please make note of this password. You will need it to configure PAS for SAP implementations.

5.You are prompted for identifying information. Complete the fields with your desired values.

6.Leave the requested “extra” attributes blank.

7.Upon completion of the command, two files are created: company_qa.privkey.pem and company_qa.cert.csr.

a.Send the *.cert.csr file to B2B Payments.

i.If this is the first time you are creating a CSR, see Perform a New XiSecure Onboarding Request.

ii.If this is a replacement certificate, see Renew or Replace XiSecure Certificate.

b.Do NOT send the *.privkey.pem file to B2B Payments. Move this file to the certificate directory.