This tutorial explains how to update different certificates for your application.
To update your signing certificates, you don't need to do anything in Revolut.
Signing certificates are validated against your JWKs endpoint on every request. This is why you can rotate your signing certificate at any time, as long as it is present in your JWKs endpoint when you issue requests using the new certificate.
For more information on the JWKs endpoint, see Register your application using DCR: Get the JWKs URL.
To update transport certificates, a few more steps are involved.
When a new transport certificate is issued, it will potentially have a new distinguished name (DN). This is why the application needs to be updated in order to accept requests made with the new certificate.
There are two ways to update the DN of your certificate.
Get the distinguished name of your new transport certificate by calling the /distinguished-name
endpoint.
Obtain the updated JWT of your application containing the new DN in the tls_client_auth_dn
parameter of this JWT.
Update your application data by sending the updated JWT
.
This request must be made with the old transport certificate.
If your old transport certificate has already expired, this method will not work. In such a case, please update the DN via the Developer Portal, or contact our API Support team.
When you successfully update the DN of your transport certificate, the old transport certificate no longer works. Only requests made with the new transport certificate will be accepted, so you must start using the new one right away.
If you need extra time to deploy and propagate the new certificate in your infrastructure, we recommend using a secondary application for the rotation:
Each consent is associated with the Client ID that was used to create it. You must provide the correct Client ID when managing existing consents.
If you try to update the transport certificate and the DN is not extracted correctly, make a request to the /distinguished-name
endpoint.
Save the full response to a plaintext file, and email it to our API Support team.