On This Page
pilot

Enable Mutual Authentication

OAuth uses
mutual authentication
 to provide an additional layer of security. Mutual authentication occurs when a client and server verify each other’s identities simultaneously. To enable mutual authentication, you must use a server-to-server certificate issued by a trusted Certificate Authority (CA). Before you can register your application with
Cybersource
, you must create one of these supported DigiCert CAs and enable mutual authentication:
Supported DigiCert CAs:
  • X9 Financial PKI – ECC P-256 Root
  • X9 Financial PKI – RSA 2048 Root
  • X9 Financial PKI – RSA 4096 Root
Contact support to obtain a certificate from DigiCert:
https://www.digicert.com/contact-us
Deprecated DigiCert CAs:
  • DigiCert Assured ID Root G2
  • DigiCert Global G2 TLS RSA SHA256 2020 CA1
  • DigiCert High Assurance EV Root CA
  • DigiCert SHA2 Extended Validation Server CA
DigiCert has announced that the Client Authentication EKU will be removed from public TLS certificates to comply with industry requirements. Without this EKU, certificates cannot be used for client authentication in mTLS, which is essential for secure OAuth integrations. For more information, see the
Sunsetting the client authentication EKU from DigiCert public TLS certificates
 article.
IMPORTANT
If your current integration uses a deprecated DigiCert CA, obtain one of the supported certificates when your existing certificates expire or are due for renewal.

Set Up Tasks

You must complete these tasks to enable mutual authentication:
  1. Create a new key pair and Certificate Signing Request, using a server-to-server certificate from your CA.
  2. Submit the Certificate Signing Request (CSR) to support for your CA and provide the required details.
  3. Your CA verifies your request, and if they approve it, they issue the certificate in an email to the technical contact for your account.
  4. Give the certificate's common name to your
    Cybersource
     technical contact. Your technical contact adds it to the
    Cybersource
     whitelist.
    IMPORTANT
    Your certificate's common name can only contain up to 40 characters.
To test your own application, you can use the certificate that is available with the
Cybersource
 sample application code, hosted on Github.