Partner Applications – certificates explained

Xero API Partner Applications can be authorized to provide long term access to multiple Xero accounts.
Due to the extended nature of this access, Xero have additional security requirements in place around certificates used to communicate with the Partner API.

Application Certificate
Each developer must generate a self-signed application certificate. The public cert part of this is uploaded as part of the application settings when creating or editing a partner application in the Xero Developer Centre. This certificate is used to sign messages during the OAuth process within your application.

Xero Entrust Certificate
When the API team have reviewed and enabled your new partner application, we will issue you with a download link for a client ssl certificate, the Xero Entrust cert. This is separate to the application certificate, and is used to identify the connection between your server and the Xero Partner API. This is not part of the OAuth signing process, but incorporated in your code’s method of connecting to the partner API.

In Summary
To use the Xero Partner API, you need two separate certificates:

1. Application certificate: used to sign OAuth messages, generally broken into two parts: a private key and public cert
2. Xero Entrust certificate: used to secure the client which connects to the API, and can be one single cert or a private key and public cert, depending on your application code/environment.

Using OpenSSL to split the Xero Entrust certificate
The command line steps to split the .p12 file into separate private key and public cert (if applicable)

1. openssl pkcs12 -in entrust-client.p12 -clcerts -nokeys -out entrust-cert.pem
2. openssl pkcs12 -in entrust-client.p12 -nocerts -out entrust-private.pem <- you will be prompted to enter a password