Certificates for Communication between OPERA and TPS

For HTTPS communication between OPERA and the Token Proxy Service, a server certificate is required to be deployed on the listener at the Token Proxy Service side.

The server certificate deployed with the Token Proxy Service should be a CA signed certificate provided by the third party.

The Token Proxy Service expects the server certificate to be named OPI_Listener.pfx. The file should be located in the TPS key folder (see image below).

Similar to the certificates used between TPS and PSP, you can also use the certificate manager tool to set up the server certificate deployed at TPS side for HTTPS communication between OPERA and TPS.

Note:

For OPERA software whose version meets the minimum version requirement, the client certificates are not required to be deployed on OPERA side for token exchange functionality. You only need to load the public key for the root of the server certificate (.cer file) on OPERA side if it is not already trusted at OPERA side.

Certificates created with the Certificate Creator tool have a default expiration date of five years from the date of creation. You must update the Token Proxy Service Server Side Certificates prior to the expiration date to avoid downtime to the Token Proxy Service.

Any client that connects to the Token Proxy Service will also require the public key of the Token Proxy Service listener importing to the Trusted Root Certificate Folder in order to validate the authenticity of the Token Proxy Service.