Interaction over SSL
To authenticate your connections to the YooMoney servers, you need a certificate issued by the verification center of NBCO YooMoney LLC (NBCO YooMoney). To get the certificate, create a certificate request (in CSR format), fill out the certificate request application form, and email the request and certificate application to your YooMoney manager.
Getting an SSL certificate
To generate a certificate request in CSR format, use OpenSSL.
Step 1. Creating a private key
Run the command:
openssl genrsa -aes256 -out private.key 2048
Enter the password and confirm. For instance:
Enter pass phrase for private.key: 12345 Verifying - Enter pass phrase for private.key: 12345
A
private.key
file will be created in the directory where the command was run.This is confidential information. Maintain the secrecy of the private key. File containing the private key is encrypted and password protected.
Step 2. Creating a CSR request for a certificate
Run the command:
openssl req -new -key private.key -out request.csr
Enter the required parameter for the certificate request. Only use Latin characters.
When creating a CSR request in Windows, the command should specify the path to the OpenSSL configuration file. To do this, add
-config "{path}" -out
to the command. Command example:req -new -key private.key -config "C:\openssl-WIN32\openssl.cnf" -out request.csr
Example of filling in certificate request parameters
Parameter | Value | Note |
---|---|---|
Country Name (2 letter code) [AU]: | RU | Required |
State or Province Name (full name): | Russia | Required |
Locality Name (eg, city): []: | Moscow | Optional |
Organization Name (eg, company) [Internet Widgits Pty Ltd]: | OOO Predpriyatie | Enter the required parameter for the certificate request. Only use Latin characters. |
Organizational Unit Name (eg, section) []: | Optional | |
Common Name (eg, YOUR name) []: | /business/predpriyatie | Required. /business/ — Required part of this parameter that shouldn’t be changed. It can be followed by any Latin letters without spaces. For example, the name of your company in Latin letters. |
Email Address: | predpriyatie@example.com | Required |
The
request.csr
file will be created in the directory where the command was run.Step 3. Getting a digital signature for the certificate request application
You need a digital signature to fill in the certificate request application, as it is contained in the certificate file.
To get a digital signature, run the command:
openssl req -in request.csr -noout -text
Text representation of the digital signature is the part of the response after the string
Signature Algorithm: sha1WithRSAEncryption
. For instance:Signature Algorithm: sha1WithRSAEncryption 5b:67:42:8c:5a:a7:bc:bf:05:99:77:39:2e:e7:e7:5d:8e:47: 09:e9:5a:46:62:3c:b1:63:2a:de:06:26:54:a4:12:b4:17:b2: ca:ff:f4:3f:c0:09:ee:7a:88:5b:b9:f5:04:cb:24:bd:5f:bd: 3b:f7:38:54:71:1c:fe:98:17:66:ae:72:2d:8a:31:34:94:30: 58:ad:79:60:e5:ca:24:83:8b:c7:96:11:c6:d9:c9:6e:7a:b0: 83:20:96:96:08:72:38:3e:24:dc:30:35:f7:85:f4:d3:21:62: 13:44:1f:49:2a:d3:c2:73:2d:3b:fc:07:3f:20:8e:d3:c1:c8: 4c:3b:69:a3:24:56:1e:5c:9c:2f:eb:83:97:80:8b:25:5d:6a: 63:80:59:24:c0:1a:b5:ed:9f:fa:b9:6d:38:dc:6b:ff:29:9e: 24:b7:95:07:37:a9:71:90:ad:b7:51:d6:0e:62:82:5d:39:8a: f2:4a:06:db:5e:2c:ae:4f:c8:76:2b:ee:e9:13:04:e3:72:c8: 6b:26:61:6c:aa:07:c1:3f:3c:b0:92:b0:29:5f:74:14:7c:34: 77:c8:c6:7a:2f:33:55:c5:0f:1d:e0:b7:8a:d9:84:d7:78:fb: 59:22:e0:58:49:97:16:f2:77:58:8b:8a:af:f2:af:43:b1:fa: 27:58:e1:c2
Step 4. Filling out the certificate application
Download the certificate application, fill it in, and print it. Sign it and stamp your seal on it. Scan it.
Parameter | Description |
---|---|
CN | Must match the value of the Common Name (eg, YOUR name) . For example, /business/predpriyatie . |
Digital signature of the certificate request | The text representation received during the previous step. |
Name of the organization in Latin letters | Must match the value of the Organization Name (eg, company) [Internet Widgits Pty Ltd] . |
Reason for request | Possible reasons:
|
Contact person | Contact information for a specialist in case questions arise about the issued certificate. |
Email address | Address to send the issued certificate to. |
Step 5. Sending the request and application for a certificate to YooMoney
Email the certificate request file (
request.csr
) and scanned application to your YooMoney manager.The certificate will be issued within 2 business days.
Step 6. Installing the certificate
In response to the request, your manager from YooMoney will send a file with the certificate. The certificate is valid for 1 year.
What to do next:
- Place the certificate on your server.
- Add the path to the certificate in the configurations of the scripts that interact with YooMoney.
- If verify the end server certificate, download the certification chain (certificates of the NBCO YooMoney certificate authorities) and add them to the list of trusted root and intermediate certificate authorities in your system.
If necessary, you can store a “private key"—"certificate” pair in a single encrypted PKCS#12 file. To make a file like this, use the command:
openssl pkcs12 -export -in username.crt -inkey private.key -out username.p12
For more information about installing the certificate, contact the activation manager.
Using SSL certificates
You need to:
- Use the CA chain to check the authenticity of the YooMoney servers, and do not establish a connection if verification was not successful.
- Use your private key and certificate when establishing connections to YooMoney servers.
- Maintain the confidentiality of the private key.
- Keep track of the certificate’s expiration date.
Recommendations:
- We additionally recommend cross-checking the YooMoney server certificates against the list of revoked certificates (Certificate Revocation List, CRL)
- We recommend that each service that needs to access the YooMoney servers get its own certificate. But one certificate can be used for all services.
If the private key is compromised, you must inform the YooMoney manager.
If the certificate expires or it will be compromised, you can get a new one.
See also