Description: Generate an SSL/TLS Certificate using the Shift4 Certificate Generator with the steps below. UTG-generated certificates are used for many API interfaces, including UTG4Cloud SSL and REST. Within the documentation, you will see multiple references to Secure Sockets Layer (SSL) and Transport Layer Security (TLS). This guide along with the Decision Tree will walk you through all the processes, including:
-
What is an SSL/TLS Certificate and why it's important
- Creating the certificate per requirements by the POS / PMS interface
- Installing the certificate into the UTG Stand Alone through the API tab.
- Installing within the environment (i.e., using a Microsoft utility or directly within the browser)
- Testing a transaction with the merchant to ensure proper connectivity.
- Showing a completed certificate to be installed on each computer utilizing the Shift4 UTG
Note: A USB stick, email, or Bomgar session can be utilized to place the certificate on the needed computers at the merchant's location.
For additional information regarding SSL/TLS Certificates, please review: What are SSL/TLS Certificates. For examples of completed certificates, please click on the decision tree link or Completed Certificate examples also within this document.
Please also refer to Install a Universal Transaction Gateway Certificate in Windows 7/10.
Using the Shift4 Certificate Generator to Generate an SSL/TLS Certificate
You may also refer to Completed Certificate examples within this document, or the Stonly, for how the completed certificate should appear.
- Certificate Entries Explained - Overview
- Completed Certificate Examples
- Workaround: “chrome://flags” setting (Block Insecure Private Network Requests)
On the PC with the Universal Transaction Gateway (UTG) installed, navigate to:
START > All Programs > Shift4 Payments > Shift4 Certificate Generator.exe
Tip: You can also type Shift4 Certificate Generator to have Windows locate and display the installed program.
Important: After the certificate has been created, installed inside the API thread in the UTG Tune Up, and installed in Windows 7/10 (or directly into the browser), please test the certificate by performing a browser test. Once this test has a favorable result, please ask the merchant to process a test transaction to ensure successful processing.
Please check the existing certificates installed. Before installing a new certificate (either thru MMC or directly within the browser), you may need to remove a previously installed certificate utilized for the UTG.
If you do not have access to remove a certificate directly through the browser, you would need to run Microsoft Management Console (MMC) with an account with administrative privileges and remove cert installed on the Local Machine account. Ensure you are not removing a certificate needed by another merchant's program. Check the Issued By column and Expiration date as additional clues. If unsure, please check with the #isv_paymentssupport chat.
Certificate Entries Explained - Overview
Entry fields in the 'Subject' section:
- Common Name: This could be the IP Address of the UTG host computer or other specific entry as needed by the interface.
The Common Name field can be set to any value. This field is to help identify the certificate's intended purpose should multiple certificates be in use. This is most commonly named after the interface it was generated for. Please refer to the completed certificate examples for the Common Name entry the interface requires.
- Organization: Enter the Property's Name, Brand Name, or Interface name. [No Special Characters]
- E-mail Address: Entries can be the property's or owner's E-mail Address
- Locality: The Property's City
- State/Province: The Property's State (USA) or Province (Canada). This entry will need to be spelled out [no state abbreviation]
- Country: The Property's 2 letter Country. US (for United States) or CA (for Canada)
Entry fields in the 'Subject Alternative Name (SAN)' and 'MISC' sections:
- Registered ID: Not used / leave blank
- DNS Tab: Enter the IP of the UTG host computer.
- [EX https://xxx.xxx.xxx.xxx ] where x is a digit in the IP address
- Refer to the specific API requirements for the actual entry needed
- IP Tab: Enter the IP of the UTG host computer without any https:// or http://
- Not all certificates require this entry
- Serial Number: Enter the merchant's Shift4 serial number
Entry fields in the 'Certificate Generation Options' section:
- Cert Gen Options: Select either 'CA SelfSign' (used to generate multiple certificates,) 'CA Intermediate,' or 'Self Signed.' Refer to the specific API requirements for which of these would be check marked.
- Server Authentication (If applicable) if the certificate’s intended use is for server-side applications.
- Client Authentication (If applicable) if the certificate’s intended use is to identify clients/users.
- Cert Type:
- Select CRT or PEM based on the interface's requirements.
The CRT and PEM extensions that are used for certificates are nearly synonymous.
- EmbedKey: Place a checkmark here if this needs to be enabled.
The Embed Key in the CRT or PEM option generates a single file containing both the certificate and key. When not selected, generated CRT files will have separate key files, and private/public PEM files will be created.
The following two Date fields represent the amount of time the certificate can be used before having to be renewed.
- Date From: Set to the current date (This is the date the certificate will go into effect)
- Date To: Set to 10 Years ahead of the current date
- [EX: 11/20/2021 to 11/20/2031]
- Key Size:
- 2048 bit (requests using this certificate will be faster).
- 4096 bit (requests using this certificate will be more secure, but slower)
- Password:
- Entries here can include the hotel's property code or merchant's zip code. This password is only used in the UTG Tune up when loading a certificate.
- Click Generate
This may take a few moments and will automatically save the certificate to a file type based on the Cert Type. Ensure the certificate is saved to a location that can be readily accessed. You will be prompted to save one or more files.
Completed Certificate examples
REST API (General / Not listed above)
ChoiceAdvantage/SkyTouch
Choice properties utilizing PIN Pads require a Cloud SSL UTG configuration for their SkyTouch interface. As part of this configuration, properties must generate certificates to facilitate secure communication between systems. For more information on configuring a UTG-generated certificate inside the UTG, see the Quick Installation Guide.
The error message that may appear on the SkyTouch PMS in red lettering:
An internal error has occurred while connecting to Local Payment Terminal. Please call Property Support for assistance.
NOTE: On the IP tab, enter just the IP address of the UTG computer... no http:// or https:// (example -- 192.168.3.28)
When installing this certificate into the UTG TuneUp, select UTG4Cloud SSL and ensure the API interface is described as CloudSSL.
Jonas Chorum
Note: While on the DNS tab, you would enter the IP address of the UTG host computer (example -- 192.168.8.14), there is no entry on the IP tab… leave this blank.
This will be installed in the UTG Tune API Interface as a REST interface (i.e., REST-CHORUM for the Task Description).
MICROS and Shift4 Bridge
Tips:
- The Friendly Name field may not be presented in later versions of the UTG and if available, can be skipped as it's not needed.
- Please be aware that you are typing the WORD localhost and not using the actual localhost IP on this line.
- This may also be localized under another directory if the UTG was not installed to the default C:\ drive. example: (D:\Shift4\Cert.crt)
This is installed into the UTG TuneUp API Interface tab as a REST certificate.
Sabre / Synxis
NOTE: On the IP tab, enter just the IP address of the UTG computer... no http:// or https:// (example -- 192.168.8.14)
When installing into UTG TuneUp API, use HTTP with SSL UTG (HttpSSL).
Note: Once the certificate is installed, you will need to test and ensure there is communication between the SynXis Property Hub and the PIN Pads.
WebRezPro
NOTE: On the IP tab, enter just the IP address of the UTG computer... no http:// or https:// (example -- 192.168.8.14)
Within the UTG TuneUp, ensure the API interface is set to CloudSSL.
REST API (General / Not Listed Above)
If the POS/PMS and the UTG are installed on the same computer, use the loopback address of 127.0.0.1 for both the Common Name and the DNS tab.
Note: While on the DNS tab, you would enter the IP address of the UTG host computer (example -- 192.168.8.14), there is no entry on the IP tab… leave this blank.
Note: You will see both a .CRT and a .KEY file saved in that directory.
Workaround: “chrome://flags” setting (Block Insecure Private Network Requests)
For callers using browser-based POS/PMS systems (like Auto Clerk or SkyTouch) that are having issues processing transactions, please perform the following steps:
Update the UTG to the latest version. If you need help doing this, please refer to: Updating the Universal Transaction Gateway (UTG) or download the latest UTG General Release version from the Shift4 Support website: (The only exception to this is legacy Micros Secure Suite using 4go. (SS4M) That cannot go above v2304). Re-test if that resolves the issue. If it doesn't, then perform these additional steps:
Note: The following steps could also be beneficial If you encounter an issue involving PIN pads not prompting from WebRez, which was first discovered using Chrome version 94.0.4606.61. The following steps will allow Chrome to be used for EMV transactions based on how transactions flow in the WebRez web-based environment.
Note: Choice locations need to stay on UTG v3115 and should not be upgraded to any version newer than v3115 for the time being. If you identify a location on a newer version, you should advise them to change versions back to 3115 and either help update this or assist them with scheduling a time to make this change. This version is available at: https://myportal.shift4.com/downloads/utg2/3115/utg2setup.exe
- Type chrome://flags in the address bar and search for: "Block insecure private network requests" option and set it to Disabled;
- Update browser certificates.
If this does not help, please escalate in the #isv_paymentssupport chat or to the Payments Support Escalations (PSE) team.