Shopify Generates Invalid CSR File for Apple Pay

hundley10 · ‎01-30-2023

When configuring the iOS Buy SDK for Apple Pay, Shopify generates an invalid CSR file. When uploading the file to the Apple developer portal I get the error "CSR algorithm/size incorrect. Expected: RSA(2048)".

Inspecting the CSR file shows that the signature algorithm is ECDSA. Apple requires RSA, and will not accept the file generated by Shopify.

Does Shopify need to update their code to be compatible with Apple? We currently cannot enable Apple Pay on our iOS app.

ShopifyDevSup · ‎02-03-2023

Hi @hundley10!

We can see in the Apple Developer Docs the following requirement for generating a CSR for Apple Pay:

When creating an Apple Pay Payment Processing Certificate, you must specify the Key Pair information. Select ECC and 256 bit key pair

The Elliptic Curve Digital Signature Algorithm (ECDSA) is a Digital Signature Algorithm (DSA) which uses keys derived from elliptic curve cryptography (ECC). Shopify is generating the correct certificate based on Apple's own documentation.

A Google search on this error reveals any number of reasons this can happen, from the keychain on the user's MacOS already containing a key to the user's Apple Developer account already having a key generated for mainland China.

The error is not very self-explanatory but it is out of scope for Shopify Support. You may want to reach out to Apple's developer support to find a solution.

Developer Support @ Shopify
- Was this reply helpful? Click Like to let us know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

meta_merritt · ‎04-12-2024

The issue is Apple needs to update their dev documentation to reflect that a .csr file needs to be RCA 2048 bit algorithm encryption. Until then Shopify will continue to provide a .csr file available for download that will be ECC 256 bit. @ShopifyDevSup I used KeyChain Access on my Mac to create a .csr file that met Apple's upload requirements at RSA 2048 bit. Downloaded the Merchant ID Cert and tried to upload that file to Shopify and I received the below error message. Is this because Shopify was expecting a ECC 256 bit based Merchant ID Cert file upload? Possible to update the Shopify system to accept RSA 2048 based Merchant ID Cert file uploads? Thanks

meta_merritt · ‎04-10-2024

Assuming you found a resolution for this, I'm attempting the same thing and get the same error message from Apple. What's weird is I was able to create the Payment Processing certificate but I cannot create the Merchant Identity certificate, which is the certificate Shopify needs to be uploaded. So frustrating.....

hundley10 · ‎04-12-2024

The good news is that I did eventually find a solution, and we currently have Apple Pay working in our iOS app. The bad news is that this was over a year ago, and I honestly can't remember what the solution was. All I know is that it was some sort of workaround... and Shopify still needs to update their system to produce the correct certificate. It's possible that we were able to re-sign the cert with the correct algorithm, but I can't say for sure. Sorry, not much help.