Update application certificates

This tutorial explains how to update different certificates for your application.

Signing certificate​

To update your signing certificates, you don't need to do anything in Revolut.

Signing certificates are validated against your JWKs endpoint on every request. This is why you can rotate your signing certificate at any time, as long as it is present in your JWKs endpoint when you issue requests using the new certificate.

For more information on the JWKs endpoint, see Register your application using DCR: Get the JWKs URL.

Transport certificate​

To update transport certificates, a few more steps are involved.

When a new transport certificate is issued, it will potentially have a new distinguished name (DN). This is why the application needs to be updated in order to accept requests made with the new certificate.

Update DN​

There are two ways to update the DN of your certificate.

Via the Developer Portal​

1. Go to Applications in the Developer portal.
2. In the Production tab, click on Submit for production.
3. Attach your new transport certificate. If needed, here you can also update your JWKs endpoint or redirect URLs.
4. Click Continue.

Via DCR​

1. Get the distinguished name of your new transport certificate by calling the /distinguished-name endpoint.

2. Obtain the updated JWT of your application containing the new DN in the tls_client_auth_dn parameter of this JWT.

3. Update your application data by sending the updated JWT.

   warning

   This request must be made with the old transport certificate.

Considerations to avoid service interruption​

When you successfully update the DN of your transport certificate, the old transport certificate no longer works. Only requests made with the new transport certificate will be accepted, so you must start using the new one right away.

If you need extra time to deploy and propagate the new certificate in your infrastructure, we recommend using a secondary application for the rotation:

1. Create a new application with the new transport certificate. This will issue a new Client ID.
2. Start using the new application for new requests, using the new Client ID and new transport certificate.
3. Update the DN of the old application.
4. You can now decide to go back to using the old Client ID or keep the new one.

Need help?​

If you try to update the transport certificate and the DN is not extracted correctly, make a request to the /distinguished-name endpoint. Save the full response to a plaintext file, and email it to our API Support team.