Interaction over SSL
To authenticate your connections to the YooMoney servers, you need a certificate issued by the verification center of NBCO YooMoney LLC (NBCO YooMoney). To get the certificate, create a certificate request (in CSR format), fill out the certificate request application form, and email the request and certificate application to your YooMoney manager.
 
Getting an SSL certificate
To generate a certificate request in CSR format, use OpenSSL.
Step 1. Creating a private key
Run the command:
openssl genrsa -aes256 -out private.key 2048
Enter the password and confirm. For instance:
Enter pass phrase for private.key: 12345
Verifying - Enter pass phrase for private.key: 12345
private.key file will be created in the directory where the command was run.
Step 2. Creating a CSR request for a certificate
Run the command:
openssl req -new -key private.key -out request.csr
Enter the required parameter for the certificate request. Only use Latin characters.
When creating a CSR request in Windows, the command should specify the path to the OpenSSL configuration file. To do this, add -config "{path}" -out to the command. Command example:
req -new -key private.key -config "C:\openssl-WIN32\openssl.cnf" -out request.csr
Example of filling in certificate request parameters
ParameterValueNote
Country Name (2 letter code) [AU]:RURequired
State or Province Name (full name):RussiaRequired
Locality Name (eg, city): []:MoscowOptional
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OOO PredpriyatieEnter the required parameter for the certificate request. Only use Latin characters.
Organizational Unit Name (eg, section) []:
Optional
Common Name (eg, YOUR name) []:
/business/predpriyatie
Required.
/business/ — Required part of this parameter that shouldn’t be changed. It can be followed by any Latin letters without spaces. For example, the name of your company in Latin letters.
Email Address:predpriyatie@example.comRequired
The request.csr file will be created in the directory where the command was run.
Step 3. Getting a digital signature for the certificate request application
You need a digital signature to fill in the certificate request application, as it is contained in the certificate file.
To get a digital signature, run the command:
openssl req -in request.csr -noout -text
Text representation of the digital signature is the part of the response after the string Signature Algorithm: sha1WithRSAEncryption. For instance:
Signature Algorithm: sha1WithRSAEncryption
5b:67:42:8c:5a:a7:bc:bf:05:99:77:39:2e:e7:e7:5d:8e:47:
09:e9:5a:46:62:3c:b1:63:2a:de:06:26:54:a4:12:b4:17:b2:
ca:ff:f4:3f:c0:09:ee:7a:88:5b:b9:f5:04:cb:24:bd:5f:bd:
3b:f7:38:54:71:1c:fe:98:17:66:ae:72:2d:8a:31:34:94:30:
58:ad:79:60:e5:ca:24:83:8b:c7:96:11:c6:d9:c9:6e:7a:b0:
83:20:96:96:08:72:38:3e:24:dc:30:35:f7:85:f4:d3:21:62:
13:44:1f:49:2a:d3:c2:73:2d:3b:fc:07:3f:20:8e:d3:c1:c8:
4c:3b:69:a3:24:56:1e:5c:9c:2f:eb:83:97:80:8b:25:5d:6a:
63:80:59:24:c0:1a:b5:ed:9f:fa:b9:6d:38:dc:6b:ff:29:9e:
24:b7:95:07:37:a9:71:90:ad:b7:51:d6:0e:62:82:5d:39:8a:
f2:4a:06:db:5e:2c:ae:4f:c8:76:2b:ee:e9:13:04:e3:72:c8:
6b:26:61:6c:aa:07:c1:3f:3c:b0:92:b0:29:5f:74:14:7c:34:
77:c8:c6:7a:2f:33:55:c5:0f:1d:e0:b7:8a:d9:84:d7:78:fb:
59:22:e0:58:49:97:16:f2:77:58:8b:8a:af:f2:af:43:b1:fa:
27:58:e1:c2
Step 4. Filling out the certificate application
Download the certificate application, fill it in, and print it. Sign it and stamp your seal on it. Scan it.
ParameterDescription
CNMust match the value of the Common Name (eg, YOUR name). For example, /business/predpriyatie.
Digital signature of the certificate requestThe text representation received during the previous step.
Name of the organization in Latin lettersMust match the value of the Organization Name (eg, company) [Internet Widgits Pty Ltd].
Reason for request
Possible reasons:
  • Initial — for obtaining the first certificate;
  • Planned replacement — to replace a certificate that has expired;
  • Replacement — for replacing a previously issued certificate after a security breach;
  • Adding server — for using a new certificate on additional servers or services.
Contact personContact information for a specialist in case questions arise about the issued certificate.
Email addressAddress to send the issued certificate to.
Step 5. Sending the request and application for a certificate to YooMoney
Email the certificate request file (request.csr) and scanned application to your YooMoney manager.
The certificate will be issued within 2 business days.
Step 6. Installing the certificate
In response to the request, your manager from YooMoney will send a file with the certificate. The certificate is valid for 1 year.
What to do next:
  1. Place the certificate on your server.
  2. Add the path to the certificate in the configurations of the scripts that interact with YooMoney.
  3. If verify the end server certificate, download the certification chain (certificates of the NBCO YooMoney certificate authorities) and add them to the list of trusted root and intermediate certificate authorities in your system.
If necessary, you can store a “private key"—"certificate” pair in a single encrypted PKCS#12 file. To make a file like this, use the command:
openssl pkcs12 -export -in username.crt -inkey private.key -out username.p12
For more information about installing the certificate, contact the activation manager.
Using SSL certificates
You need to:
  • Use the CA chain to check the authenticity of the YooMoney servers, and do not establish a connection if verification was not successful.
  • Use your private key and certificate when establishing connections to YooMoney servers.
  • Maintain the confidentiality of the private key.
  • Keep track of the certificate’s expiration date.
Recommendations:
  • We additionally recommend cross-checking the YooMoney server certificates against the list of revoked certificates (Certificate Revocation List, CRL)
  • We recommend that each service that needs to access the YooMoney servers get its own certificate. But one certificate can be used for all services.
If the certificate expires or it will be compromised, you can get a new one.
See also
Коды ошибок