# Generating an mTLS Certificate with a CSR source: https://developer.mastercard.com/platform/documentation/security-and-authentication/mtls-csr-requirements/index.md ## Overview {#overview} Mastercard Developers allows you to automatically generate and obtain an mTLS client certificate in the Sandbox environment for your mTLS project. You can either use a Certificate Signing Request (CSR) generated by the platform or submit your own CSR, as long as it follows the CSR guidelines outlined below. There are minor differences in CSR requirements between Sandbox and Production environments. Be sure to follow the guidelines for the corresponding environment when generating your CSR. ## CSR Format {#csr-format} The format and syntax for a CSR are defined in the [PKCS #10: Certification Request Syntax Specification](https://tools.ietf.org/html/rfc2986). ## Distinguished Name (DN) Attributes {#distinguished-name-dn-attributes} #### mTLS Sandbox CSR DN Requirements {#mtls-sandbox-csr-dn-requirements} * **Common Name (CN)** * Format: `[unique string]-Client-[ENV]-[CID]` * `[unique string]` -- It is recommended to use the timestamp in epoch time when creating the CSR. For example: `[1728489217]` * `[Client]` -- This should always be set to `Client`. * `[ENV]` -- Set to `MTF`, which corresponds to the Sandbox environment. * `[CID]` -- Set to the **verified CID** found in your user profile if user company is available and verified; otherwise, set to "000000". * For instructions on obtaining a verified CID, please refer to our [Company Verification Documentation](https://developer.mastercard.com/platform/documentation/account-management/company-verification-via-connect-linking/index.md) * Validations * Character Limit = 64 characters * The common name is not a URL. * **Organization (O)** * Must match the company name in your user profile. * Character Limit = 64 characters * **Organizational Unit (OU)** * Must match your project's name. * Character Limit = 32 characters * **Country** * Must match the country in your user profile. * Use ISO 2-character country code format. To obtain a Production certificate **you must have a verified CID** #### mTLS Production CSR DN Requirements {#mtls-production-csr-dn-requirements} To obtain an mTLS certificate in Production, you must complete the company verification process: [Company Verification documentation](https://developer.mastercard.com/platform/documentation/account-management/company-verification-via-connect-linking/index.md). CSR values are validated against your verified company details. If your CSR contains unverified company information, certificate generation will fail. * **Common Name (CN)** * Format: `[unique string]-Client-[ENV]-[CID]` * `[unique string]` -- It is recommended to use the timestamp in epoch time when creating the CSR. For example: `[1728489217]` * `[Client]` -- This should always be set to `Client`. * `[ENV]` -- Set to `prod`, which corresponds to the Production environment. * `[CID]` -- Set to the **verified CID** found in your user profile. * Validations * Character Limit = 64 characters * The common name is not a URL. * **Organization (O)** * Must match the **verified company name** in your user profile. * Character Limit = 64 characters * **Organizational Unit (OU)** * Must match your project's name. * Character Limit = 32 characters * **Country** * Must match the **verified country** found in your user profile. * Use ISO 2-character country code format. Note: For projects **on behalf of another company (indirect projects)** , you should **always use the user company (direct company)** details in the CSR not the client company. ## Troubleshooting {#troubleshooting} If you generated your CSR with OpenSSL, ensure you are using the latest version. If the issue persists, contact [API Support](mailto:apisupport@mastercard.com). If the organization unit attribute exceeds 32 characters, the CSR request for a certificate will fail. When creating the CSR, ensure the organization unit is limited to the first 32 characters of your project name. For example, if your OU is "MastercardDigitalWalletIntegration" (35 characters), set the organization unit attribute to "MastercardDigitalWalletIntegrat" --- up to the 32nd character. For both project types, your certificate's Distinguished Name (DN) must be unique. Certificates with duplicate DNs will be rejected by Mastercard Developers. If the CSR has already been used to generate a certificate for another project, make sure to revoke or delete the certificate from that project before attempting to create a new one with the same DN values.