3. Prerequisites

3.2 TLS certificates

In order to communicate with the Swish server use the Swish client TLS certificate in the file “Swish Merchant Test Certificate 1231181189.p12”. The file contains the Swish Merchant Test Certificate together with the complete chain of trust and the private key. The password for the private key is “swish”. The test certificate is used together with the Swish number in the file name, e.g. 123 118 11 89.

It is necessary to provide the Swish client TLS certificate together with all CA certificates up to the Swish Root CA in order to correctly set up a TLS session with the Swish API.

It is recommended to require verification of the Swish server TLS certificate and not to ignore this verification, in case your server allows you to disable server certificate verification. The Swish server TLS certificate is issued under the same Swish Root CA as the Swish Merchant Test Certificate (i.e. “Test Swish Root CA v1 Test”). The Swish Root CA certificate is available in the file mentioned above but also in a separate file “Test Swish Root CA v1 Test.pem”.

3.3 TLS for the callback endpoint

The callback endpoint has to use https on port 443 and it is highly recommended to use IP filtering as well. For the callback Swish will be acting client and the merchant server is acting server. Swish will validate the merchant callback server TLS certificate against a list of commonly recognized CAs.