mtls question - payment app

Shopify Partner
23 0 0

Hi Forum,


We are developing a payment app and we understand the below requirements. However where does the payment app actually upload the / provide the signed SSL?


We have reviewed, however this does not address where / how the certificate is to be uploaded? Any help would be great!


Because mTLS is mutual, the payments app also needs to provide a certificate that Shopify will validate. For this certificate, you need to use a Trusted CA Signed SSL Certificate, and not Shopify’s self-signed CA.

Replies 5 (5)
12 0 5

I have the same issue, did you solve it?

12 0 5

I have solved the issue.

First of all, we do not need to upload any certificate.

Second, we could configure our certificate by nginx.

Shopify Partner
13 0 5

could you please explain how did you do that ?

Shopify Partner
62 2 13


It took me a lot of time trying to do this at code level but could not implement it.

At the end, I was able to configure this at server level using Apache. Below is the configuration.

Configure your web server

Implement a set of Apache 2.4 directives, shown below, that require the client to support mutual TLS. They can be applied to specific directories or to all incoming connections. See the Apache2.4 SSL documentation for more information.

SSLVerifyClient require

SSLVerifyDepth 10

SSLCACertificateFile /etc/apache2/conf/shopify_root_cert.pem

Configure client access control

Your web server is now configured to use mutual TLS to require the client (Shopify) to provide its certificate to identify itself. The next step is to use the client’s identity for access control. This example for Apache 2.4 is applied to a specific directory.

<Directory "/payments">SSLOptions +StdEnvVars</Directory>

The above example sets the SSL library to create environment variables with information from the client’s certificate.

I hope this helps.

Any Likes and Accept as Solutions are greatly appreciated✌ Having trouble? Hire us!
1 0 0

@Sushant you use the certificate in
as /etc/apache2/conf/shopify_root_cert.pem ?
Please if you know how to set this configuration on NGINX, let me know.