Prerequisites
Before you begin, ensure that you’ve:- Configured mTLS on your entity and have a working integration.
- Installed OpenSSL 1.1.1 or later on your machine for key pair and CSR operations.
Steps
Generate a new key pair
Generate a new Elliptic Curve Digital Signature Algorithm (ECDSA) P-256 key
pair. Circle accepts only ECDSA P-256 keys. RSA keys and other curves are
rejected.
Generate a new CSR
Generate a PKCS#10 CSR from your new key pair:Start this process at least two weeks before your current certificate
expires to allow time for Circle to process the request and for you to test
the new certificate.
Submit the CSR and receive your renewed certificate
Provide your entity ID and new CSR file (Both commands must return the same SHA-256 hash. If they differ, the
certificate and key do not form a valid pair.
new-client.csr) to
Circle Support or your Circle account manager,
and request a renewed client certificate.Circle issues a renewed certificate from its private certificate authority
(CA) and delivers new-client-cert.pem and the CA certificate chain through
a secure, out-of-band channel.Confirm that the renewed certificate matches your new private key by
comparing the public key hashes:Update the certificate and key paths in your integration
Point your integration to the new certificate and key files. Update the
--cert and --key paths (or the equivalent configuration in your HTTP
client) to reference the new PEM files.Verify the new certificate with a test API call
Send a test request using the new certificate and your current API key. The
example below uses Look for
api-eu.circle.com (the MiCA-regulated hostname). If you
enabled mTLS optionally, substitute api.circle.com:SSL connection using TLSv1.3 in the verbose output and confirm
you receive a successful response.