Signature And Public/Private Key Pairs

Digital signatures can ensure the reliability and protect from forgery of the API data transmitted. Each qualified API caller, also called Merchant, is assigned a StoreID by myPOS. The API access is authenticated against the StoreID by the RSA signature.


Merchant and myPOS must exchange RSA keys before making API calls, and the length of RSA key must be 2048 bits. When making API call to myPOS, merchant uses the RSA private key to sign the API request. After receiving the API request, myPOS will use the merchant’s RSA public key to verify whether the signature is matched to the content of the API request. Similarly, when merchant receives the API response, it is highly recommended that merchant verifies the signature of API response by using myPOS’s RSA public key. The following figure illustrates the interaction flow:



For the signing process, both myPOS Checkout API and the merchant generate public/private key pairs and exchange the public certificate. Key pairs are generated using the RSA algorithm. The certificates must be PEM-encoded PKCS7 file. Each of the parties is using the private key to sign the message and the opposite side authenticate the sender with a corresponding public certificate.

A signature is supplied in every message!


The myPOS Web Checkout provides different myPOS public certificate to every online store of the merchant. They are available for download at Online / Online stores / Keys menu of the myPOS account.



myPOS Checkout API requires from merchant to upload his public certificate so that his digital signature can be verified from the system. The merchant can upload several public certificates. A key index is assigned to each certificate. For each of the merchant's public certificate, there is a certain myPOS public certificate. The merchant can download each myPOS public certificate by clicking on Download in the myPOS public certificate column.

The online store public certificate can be changed at any time from the Online / Online stores / Keys menu.



RSA key pair

An RSA key pair contains the private key and the public key. The private key is required for generating the signature, while the public key is used for verifying the signature.

Generating an RSA key pair

Many tools can be used to generate the RSA key pair.

The easiest way to generate a key pair is by using our onsite generator.



Save the Public Certificate to a separate text (*.txt) file and upload (Add) it to the previous screen of the myPOS website.

The text file with the Public Certificate must be uploaded by clicking "Add new certificate".



The private certificate goes to your e-commerce platform.

Next you need to download the myPOS public certificate and apply it to your e-commerce platform. This will allow your store to verify that the requests made from myPOS are authentic.



If you prefer to generate the keys yourself you can do it using Open SSL.

The following steps assume that you use OpenSSL to generate the RSA key pair.


1. Install OpenSSL.


For linux system, use the following command:

sudo apt-get install openssl

For windows system, download and then install OpenSSL from the official site.


2. Generate RSA key pair.


For linux system, use the following command:


$ openssl

OpenSSL> genrsa -out rsa_private_key.pem 2048 ##generate private key

OpenSSL> pkcs8 -topk8 -inform PEM -in store_private_key.pem  -outform PEM - nocrypt   ##transform private key into PKCS8 format

OpenSSL> rsa -in store_private_key.pem -pubout -out  store_public_key.pem        ##Generate public key

OpenSSL> exit        


For windows system, use the following command:


C:\Users\Hammer>cd C:\OpenSSL-Win32\bin ##enter OpenSSL directory

C:\OpenSSL-Win32\bin>openssl.exe ##enter OpenSSL

OpenSSL> genrsa -out store_private_key.pem 2048  ##Generate private key

OpenSSL> pkcs8 -topk8 -inform PEM -in store_private_key.pem  -outform PEM -nocrypt ##Transform private key into PKCS8 format

OpenSSL> rsa -in store_private_key.pem -pubout -out  store_public_key.pem ##Generate public key

OpenSSL> exit


After that, you can see two files under current folder, store_private_key.pem and store_public_key.pem. The former is the private key and the latter is the public key.



Uploading RSA public key

After the key pair is generated, you must exchange the public key with the myPOS server for signature verification by completing the following steps:

  • Upload your public key to Alipay
  • Obatin Alipay public key