Key & Certificate Lifecycle (Certificate-based Onboarding)

This section defines how partners generate, register, operate, and maintain cryptographic materials required for signing and encryption.

Generate Partner Private Key and CSR

This subsection describes the CSR workflow used to establish certificate-based trust during onboarding.

Partners generate:

• An RSA private key (partner-owned secret).
• A CSR containing the partner public key and identifying attributes.

CSR constraints

• The CSR Common Name (CN) SHALL match the partner domain FQDN used for service integration.

Register Certificate Information in Partner Portal

This subsection defines how onboarding-related encryption settings and certificate information are registered.

Partners configure the service encryption mode (e.g., End-to-End Encryption) and register CSR information through the Partner Portal. Multiple certificate registrations MAY be supported for staged migration, and encryption settings MAY be constrained after issuance depending on portal policy.

Certificate Identifiers and Token References

This subsection defines the identifiers used to reference onboarding artifacts in runtime tokens.

• certificateId: Identifier issued for the certificate registered/issued via CSR onboarding; used in tokens and selected API paths.
• partnerId: Partner identifier assigned during Partner Portal registration (also used as/alongside partnerCode terminology).

Key Rotation and Incident Response (Recommended)

This subsection provides an operational model for rotating key materials and responding to key compromise.

Recommended rotation

1. Generate a new private key and CSR.
2. Register a new certificate while keeping the existing certificate active.
3. Begin issuing tokens with the new certificateId.
4. Retire the old key after migration.

Incident response

• If compromise is suspected, stop issuing tokens with the affected key immediately, generate new credentials, and rotate the operational secrets.