On This Page

Enable Mutual Authentication

OAuth uses mutual authentication
to provide an additional layer of security. Mutual authentication occurs when a client and server verify each other’s identities simultaneously. To enable mutual authentication, you must use a server-to-server certificate issued by a trusted Certificate Authority (CA). Before you can register your application with Cybersource, you must create one of these supported DigiCert CAs and enable mutual authentication:

Supported DigiCert CAs: X9 Financial PKI – ECC P-256 Root
X9 Financial PKI – RSA 2048 Root
X9 Financial PKI – RSA 4096 Root; Contact support to obtain a certificate from DigiCert:
https://www.digicert.com/contact-us

Deprecated DigiCert CAs and Transition Guidance

These CAs are no longer supported:

DigiCert Assured ID Root G2

DigiCert Global G2 TLS RSA SHA256 2020 CA1

DigiCert High Assurance EV Root CA

DigiCert SHA2 Extended Validation Server CA

IMPORTANT

If your current integration uses a deprecated DigiCert CA, obtain one of the supported certificates when your existing certificates expire or are due for renewal.

DigiCert has announced that the Client Authentication EKU will be removed from public TLS certificates to comply with industry requirements. Without this EKU, certificates cannot be used for client authentication in mTLS, which is essential for secure OAuth integrations. If your organization uses DigiCert certificates for mTLS, client authentication, or server-to-server authentication, review the DigiCert article "What should I do to prepare for the Client Authentication EKU removal from public TLS certificates?"
. This article explains if your certificate usage is affected and describes DigiCert alternatives.

To download the supported X9 production root and intermediate certificates used for mTLS, see the DigiCert article X9 Production Certificates for mTLS
.

Set Up Tasks

You must complete these tasks to enable mutual authentication:

Create a new key pair and Certificate Signing Request, using a server-to-server certificate from your CA.

Submit the Certificate Signing Request (CSR) to support for your CA and provide the required details.

Your CA verifies your request, and if they approve it, they issue the certificate in an email to the technical contact for your account.

Give the certificate's common name to your Cybersource technical contact. Your technical contact adds it to the Cybersource whitelist.

IMPORTANT

Your certificate's common name can only contain up to 40 characters.

To test your own application, you can use the certificate that is available with the Cybersource sample application code, hosted on Github.