# mTLS on-boarding for outbound push notifications source: https://developer.mastercard.com/cross-border-services/documentation/push-api-notification-mtls-setup/index.md ## APIGW Client CA/Certificate Exchange Process : {#apigw-client-cacertificate-exchange-process-} * You should give confirmation that you will be able to trust Mastercard Entrust Client CA * CA chain or the client certificate should be shared with you via Key Management Portal. Your registered security officers will get notified by email about the availability of the files. They can access KMP application in Mastercard Connect to download the CA/Cert files. * Once your registered security officers got notified by email, the steps mentioned below need to be followed. ### Step 1: Obtain access to Key Management Portal {#step-1-obtain-access-to-key-management-portal} The Key Management Portal (KMP) is an application available in [Mastercard Connect](https://mastercardconnect.com) as a self-service portal for Mastercard customers, which allows them to request and exchange keys and certificates with Mastercard. The portal provides guided workflows to create and manage requests for key and certificate exchange, as well as an inventory of all PKI for Business Partners keys and certificates that have been exchanged between you and Mastercard using KMP. ##### Pre-Requisite: {#pre-requisite} To access KMP, you must be signed up to [Mastercard Connect](https://mastercardconnect.com). Please contact your Mastercard representative to get help with Mastercard Connect Signup. ##### How to request access to KMP: {#how-to-request-access-to-kmp} * Sign in to [Mastercard Connect](https://mastercardconnect.com). * Click Store in the top menu. * Search for Key Management Portal. You can also select Administration under Business capabilities to narrow down the results. ![kmp-tile](https://static.developer.mastercard.com/content/cross-border-services/documentation/images/kmp_01.png) * On the Key Management Portal card, select Request. * Select Security Officer Level 1 access. * Click Request access. ### Step 2: Ensure complete setup in KMP {#step-2-ensure-complete-setup-in-kmp} * Your company must have at least 2 active Security Officers on the Key Management Portal to be permitted to create new requests in KMP. If you see the following message when logging into KMP then your company needs to have at least 1 additional Security Officer registered on the Key Management Portal application in Mastercard Connect. Once your certificate management group is setup, the Mastercard team will initiate the cert generation process ![security-officer-required](https://static.developer.mastercard.com/content/cross-border-services/documentation/images/kmp_40.png) * Furthermore, if not already done, a Certificate Management Group email must be added to your company profile. ##### How to add a Certificate Management Group email {#how-to-add-a-certificate-management-group-email} Your Certificate Management Group email is an alternative means of communication which the Mastercard Key Management Delivery team will use for crucial communication with your organization and in case there is no longer an active user on the Key Management Portal. Follow below steps to add a Certificate Management Group email: 1. Click **My Company** ![my-company](https://static.developer.mastercard.com/content/cross-border-services/documentation/images/kmp_03.png) 2. Click on the pencil icon next to Certificate Management Group Email ![edit-group-email](https://static.developer.mastercard.com/content/cross-border-services/documentation/images/kmp_04.png) 3. Enter your Certificate Management Group email and click Save ![save-group-email](https://static.developer.mastercard.com/content/cross-border-services/documentation/images/kmp_05.png) Once your certificate management group is setup, the Mastercard team will initiate the cert generation process. As soon as your certificates are ready for you to download, your security officer will get email notifications from the Mastercard for each certificate shared. ### Step 3: Download the certificate from KMP {#step-3-download-the-certificate-from-kmp} ##### How to download certificate on KMP: {#how-to-download-certificate-on-kmp} 1. Once your security officer receives email from the Mastercard team, they may click the links in the emails they receive to go straight to the request in the KMP so they can download the certificates. Or they may navigate to it by logging into the KMP and "How to view certificates" and download the certificates. There will be 4 certificates shared with you (2 for Production and 2 for MTF environment). ![download-certificate](https://static.developer.mastercard.com/content/cross-border-services/documentation/images/kmp_44.png) 2. On the Certificate Detail screen, click Actions, then Download. 3. If you're downloading a certificate or a CA Chain, select a Format from list. You may select PEM (PKCS #8) or PEM(Open SSL) or PKCS #7 per your preference. ![choose-format](https://static.developer.mastercard.com/content/cross-border-services/documentation/images/kmp_12.png) 4. Select the preferred ordering of Root CA (unless you select the DER format in which case the Root Chain cannot be included). ![choose-chain-order](https://static.developer.mastercard.com/content/cross-border-services/documentation/images/kmp_13.png) 5. Click Download. Now, the downloaded file will be saved in the default download folder of your browser. Following are the several different outcomes that may be observed: 1. For any certificate or CA chain being downloaded in the PEM (PKCS #8), PEM (Open SSL) or PKCS #7 format, the root chain is always included in the downloaded file containing the certificate and chaining: i) For PEM (PKCS #8), PEM (Open SSL), the downloaded file is a .pem file ii) For PKCS #7, the downloaded file is a .p7b file 2. Where the user is downloading a certificate for an application which requires mutual authentication, an extra CA Chain is delivered along with the certificate chaining inside a zip file ### Step 4: Trust Mastercard's certificate {#step-4-trust-mastercards-certificate} Please add your trust store to the certificate that you downloaded in the previous step. ## Partner Server CA/Certificate Requirements: {#partner-server-cacertificate-requirements} * The validation of the server certificate provided by the "External Partner" platform doesn't require an exchange of CA/Certificates to be installed in the APIGW. * The requirement will be for the "External Partner" server which is hosting the webhook endpoint to use a TLS certificate that is signed by an industry standard CA and is accepted by Mastercard. You cannot use a Self-signed Server Certificate. * Mastercard representative will ask the "External Partner" to share their server cert's CA, so that Mastercard representative can confirm the CA used by you is supported by Mastercard. Note: \* In the event where you are using a CA that is not recognized by Mastercard, Mastercard representative will have to inform you that you need to submit the Root and intermediates CAs in Base64 .pem file via KMP portal using "Other" as the application and indicating in the comment that the key exchange is for the MTLS CA trust addition in API Gateway for Cross-Border Outbound API services.