Skip to main content


Affirm Merchant Help

Mutual TLS


The exact implementation method you'll use to enable mutual TLS will be 

  1. Create a Certificate Signing Request
  2. Send us the CSR
  3. Test your API connection

Create a Certificate Signing Request

A certificate signing request is needed for us to implement Mutual TLS. We need this information from the client machine that will be accessing the Affirm servers so we can install the cert on our domain.

Generate RSA 2048 keypair and CSR file
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
Add Organization Information
  1. Enter the requested information:
    • Common Name: The fully-qualified domain name, or URL, you're securing.
      • If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *
    • Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor's name.
    • Organization Unit: If applicable, enter the DBA (doing business as) name.
    • City or Locality: Name of the city where your organization is registered/located. Do not abbreviate.
    • State or Province: Name of the state or province where your organization is located. Do not abbreviate.
    • Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.
  2. Copy the information into the CSR file

Send us your CSR

Once you've generated your CSR, please send it to your technical contact at Affirm.

Test your API connection

You can test your API connection by sending a GET request to our charges endpoint here:

     -u "(public_api_key):(private_api_key)"
  • Was this article helpful?