All requests use a TLSv1.2 encrypted connection over HTTPS. Only HIGH ciphers are supported.
For additional security, you exchange a set of certificates to gain access to the gateway. All certificates are issued by the private Certificate Authority (CA) of the Payment Gateway, which the client needs to trust. As part of this process, you provide a certificate signing request (CSR), which is signed and returned to you:
ca.crt | The private Certificate Authority (public key) of the Payment Gateway and the Boarding Gateway. Used when signing your client certificate. You also use it to verify The Payment Gateway or Boarding Gateway's authority when accessing the interface. |
customer.crt | Your certificate (public key) for authentication. |
customer.key | Your certificate’s private key for authentication. Boarding Gateway-only |
customer.pem | A combination of your private and public keys as needed e.g. by cURL. Boarding Gateway-only |
customer.key12 | This is a key package. |
Important
Make sure you keep all private keys secret. When connecting to an API endpoint, such as
api.girogate.de, useca.crtto verify the server certificate. Do not pin to a specific server certificate, since they will be replaced on a yearly basis.