How to create a client certificate for use with MPI component using OpenSSL

This shows how to use OpenSSL to create a client certificate for use with the MPI component.

Date Entered: 06/07/2011    Last Updated: 06/24/2015

When creating a client certificate for use with MPI, OpenSSL can be used to generate the certificate signing request (CSR) and create a valid PFX from the resulting signed CSR. The steps to accomplish this are:

Generate CSR and Request Certificate

  1. Execute the command:
    openssl req -new -nodes -keyout 3ds.key -out 3ds.csr
  2. Paste the contents of 3ds.csr file in the PIT form online for requesting a certificate. This will result in a PEM encoded certificate, and a PEM encoded PKCS7 chain. They will also e-mail you the PKCS7 chain in binary (.p7b) format.
  3. Copy the PEM encoded certificate from the website into a new file called "3ds.crt"
  4. Execute the command:
    openssl pkcs12 -export -in 3ds.crt -inkey 3ds.key -out 3ds.pfx

The above instructions assume you have already signed up for VISA PIT testing. After following these steps you will have created a .pfx file for use with the component when communicating with the server.

Common PIT Website Errors

  • Error encountered while signing request: java.lang.ClassCastException: If you see this error from the PIT website when requesting a certificate this indicates that the CSR was not accepted. CSRs generated from certain versions of OpenSSL are not compatible with the PIT website. If you see this error it is recommended that you try a previous version of OpenSSL such as 0.9.8.
  • RDN EmailAddress contains illegal characters, legal characters are: space, uppercase A through Z, lowercase a through z, period, underscore, digits 0 through 9, and dash/hyphen. If you see this error from the PIT website this indicates that there was an issue with the email address provided when creating the CSR in OpenSSL. Re-generate the CSR and do not specify a value for the email address field.

Extract Root Certificates

In addition to creating the client certificate for use with MPI you will also need to obtain the pit-root and pit-ca certificates. To do this there are several options.

1. Execute the command:

openssl pkcs7 -in 3ds.pkcs7 -print_certs
This will output all of the certificates in the PKCS7 chain. You may then copy the individual certificates (everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive) to use in the RootCertificate property of the MPI object.


2. Follow these steps:

  1. In windows, rename the .p7 file that was e-mailed to you to have a .p7b extension. Windows will now recognize this file type.
  2. Double-click this to open a dialog that will allow you to browse the chain.
  3. Expand the tree to the Certificates node to view the pit-root/pit-ca certificates.
  4. Double click the pit-root/pit-ca certificate to open a properties dialog.
  5. From the Details tab select the Copy to File button.
  6. During export select the .CER (base64) encoded format.
  7. Once exported the contents of this file may be used with the RootCertificate property.

We appreciate your feedback.  If you have any questions, comments, or suggestions about this entry please contact our support team at