Update application certificates
This tutorial explains how to update different certificates for your application.
Signing certificate
To update your signing certificates, you don't need to do anything in Revolut.
Signing certificates are validated against your JWKs endpoint on every request. This is why you can rotate your signing certificate at any time, as long as it is present in your JWKs endpoint when you issue requests using the new certificate.
After you have added your new signing certificate to your JWKs endpoint, make sure you start using the new kid in every JWT or JWS that you include in your requests.
For more information on the JWKs endpoint, see Register your application using DCR: Get the JWKs URL.
Transport certificate
To update transport certificates, you might need to update your application's configuration.
When a new transport certificate is issued, it can potentially have a new distinguished name (DN). If it does, the application must be updated in order to accept requests made with the new certificate.
To check if the DN of your transport certificate has changed, call the /distinguished-name endpoint with both your old and new transport certificates respectively (one by one).
If both certificates return exactly the same DN (tls_client_auth_dn), then no change is required in Revolut, and you can start using your new certificate right away.
Update DN
There are two ways to update the DN of your certificate.
Via the Developer Portal
- Go to Applications in the Developer portal.
- In the Production tab, click on Submit for production.
- Attach your new transport certificate. If needed, here you can also update your JWKs endpoint or redirect URLs.
- Click Continue.
Via DCR
Get the distinguished name of your new transport certificate by calling the
/distinguished-nameendpoint.Obtain the updated JWT of your application containing the new DN in the
tls_client_auth_dnparameter of this JWT.Update your application data by sending the updated
JWT.cautionThis request must be made with the old transport certificate.
If your old transport certificate has already expired, this method will not work. In such a case, please update the DN via the Developer Portal, or contact our API Support team.
Considerations to avoid service interruption
When you successfully update the DN of your transport certificate, the old transport certificate no longer works. Only requests made with the new transport certificate will be accepted, so you must start using the new one right away.
If you need extra time to deploy and propagate the new certificate in your infrastructure, we recommend using a secondary application for the rotation:
- Create a new application with the new transport certificate. This will issue a new Client ID.
- Start using the new application for new requests, using the new Client ID and new transport certificate.
- Update the DN of the old application.
- You can now decide to go back to using the old Client ID or keep the new one.
Each consent is associated with the Client ID that was used to create it. You must provide the correct Client ID when managing existing consents.
Need help?
If you try to update the transport certificate and the DN is not extracted correctly, make a request to the /distinguished-name endpoint.
Save the full response to a plaintext file, and email it to our API Support team.