Renew and Install Xero certificates for partner applications

To have a permanent access to a customer Xero file, a Xero Partner Application is required. More information can be found on the Xero website: https://developer.xero.com/documentation/auth-and-limits/partner-applications

To securely access the Xero Partner API, a certificate must be generated and uploaded against the partner application.




1 - Renew the X509 Certificates


1.1 - Generate the Certificate Key Pair

To generate a public/private certificate pair on a Linux OS, run the following command:

openssl req -x509 -newkey rsa:4096 -keyout [my_certificate].pem -out [my_certificate].cer -days 730 -nodes -subj "/C=AU/ST=NSW/L=Sydney/O=[MyOrganisation]/OU=IT/CN=[example.com]/emailAddress=[contact@example.com]"

Do not forget to specify your own certificates attributes in the subj parameter:

  • C: Country
  • ST: State
  • L: City
  • O: Organization name
  • OU: Organization Unit or Department Name
  • CN: Domain name
  • emailAddress: Contact email address

The duration of the certificate is specified in days with the parameter day. it is recommended to use a duration of 2 years.

1.2 - Upload the Public Certificate on Xero application

Then log into the Xero Applications management console and upload the Public Key Certificate xero_maestrano_dev.cer

1.3 - Update Mnohub and Connec! components to use the Private Certificate

1.3.1 - Using Nex! deployments

Update the environment property oauth_xero_private_key with the content of the private certificate

1.3.2 - Using Ansible scripts

Copy the private key file in your ansible script configuration mno-deploy-myproject/ansible/files/xero_certs/[environment]/privatekey.pem

2 - Entrust Certificates

The Xero Entrust Certificates have been deprecated, more information here: https://developer.xero.com/documentation/auth-and-limits/entrust-certificate-deprecation