# Mastercard KMS Key Exchange
source: https://developer.mastercard.com/account-to-account-commerce-for-dsp/documentation/api-basics/key-exchange/index.md

In addition to exchanging certificates for the Mastercard Account to Account Commerce, participants must work with the KMS team to effectively manage the life cycle of each certificate.

## Mastercard KMS key exchange process {#mastercard-kms-key-exchange-process}

Participants first exchange keys with Mastercard during their initial onboarding process when implementing Mastercard Account to Account Commerce. Thereafter, participants follow the same process to renew keys upon expiry or in situations where a key has been compromised.   

Participants must follow the steps listed below to complete the key exchange process during onboarding.

### 1. Register security administrators {#1-register-security-administrators}

Participants must register at least two security officers on the Key Management Portal (KMP), available in [Mastercard Connect](https://www.mastercardconnect.com). Any Mastercard Connect user in a participant's organization with access to KMP is recognized by Mastercard as a security officer. For more information on getting access to KMP, refer to the Key Management Portal User Guide.

### 2. Generate certificate signing requests (CSRs) {#2-generate-certificate-signing-requests-csrs}

Within KMP, start a new request and complete the web form with the relevant CSR information provided in this guide. Refer to sections [Account to Account Commerce mutual TLS certificates](https://developer.mastercard.com/account-to-account-commerce-for-dsp/documentation/api-basics/certificates-keys/index.md), [Account to Account Commerce Digital Signing certificates](https://developer.mastercard.com/account-to-account-commerce-for-dsp/documentation/api-basics/certificates-keys/index.md) and [Account to Account Commerce Digital Encryption certificates](https://developer.mastercard.com/account-to-account-commerce-for-dsp/documentation/api-basics/certificates-keys/index.md) for the CSR formats of client, signing and encryption certificates respectively.

### 3. Download signed certificates {#3-download-signed-certificates}

When a CSR is signed, participants are notified via the contact information provided in KMP. A security officer may download the signed certificate from KMP.

### Certificate renewal {#certificate-renewal}

Mastercard notifies security officers 120 days before a certificate expires through the contact information provided in KMP. To avoid any disruption of service, participants must log in to KMP to renew a certificate before its expiration date.
Note: Participants may choose to renew certificates at any time without receiving notification from KMS.

### Delegation {#delegation}

A participant may delegate the operation of a service to a third party, recognized by KMS as a Member Service Provider (MSP).   

The delegation process is conducted over email exchanges between a participant and Mastercard. Inform your Mastercard implementation manager to initiate the delegation process. Mastercard will contact the participant via the email address(es) provided to obtain confirmation for the delegation. When a participant has responded with approval, Mastercard proceeds with the key exchange and provides the requested key(s) to the delegated party.