iDEAL Payments Key Pair

Learn how to obtain a key pair to set up the iDEAL payments in your online store.

Seller Labs avatar
Written by Seller Labs
Updated over a week ago

To use iDEAL Payments, you must complete the iDEAL application process. You can start by choosing the "Registration" link at The process involves providing the required information about your business and completing some tests in the Rabobank iDEAL test environment. After the assessment and approval of your application and signing your contract, you will be able to activate iDEAL on your site.

You will need a signing certificate for an iDEAL applicaition. It is possible to use a self-signed certificate or purchase a certificate from a Certificate Authority (CA).

If you are going to use a self-signed certificate, you can create your public and private keys as follows:

  1. Download the “OpenSSL Library” from You can find more information on the “certificate generating utility” here.

    You may also generate the key pair using other software. If so, please use the manual that comes with your software.

  2. Generate an “RSA private key” using the following command (define a password for the field [privateKeyPass]):

    openssl genrsa –aes-128 –out priv.pem –passout pass:[privateKeyPass] 2048     

  3. Create a certificate based on the “RSA private key” (use the same password as in the previous step for the field [privateKeyPass]):

    openssl req –x509 –sha256 –new –key priv.pem –passin pass:[privateKeyPass]  
    -days 1825 –out cert.cer

    The previous OpenSSL command will generate a certificate in the X.509 format, with a validity period of 5 years (1825 days), the maximum for iDEAL signing certificates.

  4. The priv.pem file contains the private key; it needs to be kept secret. The cert.cer file contains the certificate with the public key; you need to communicate this file to Rabobank iDEAL.

Suppose you select to buy a certificate from a Certificate Authority (CA), rather than generate the certificate yourself. In that case, you should note the following: the CA signing certificate (and the rest of the certificate chain) must use hashing algorithms and key lengths that are at least as secure or better than those of the Merchant certificate. Therefore CA-certificates used to sign certificates for electronic signatures must use at least SHA-256 for hashing and 2,048 bits for RSA keys. Signing certificates should also have a maximum validity period of 5 years.

Related pages:

Did this answer your question?