Key Management for Terminals With Automatic Activation
Initial Factory Configuration
Initially, terminals should have the following certificates preloaded at the factory:
Device Key Encryption Key Certificate(DKEK-CERT) - issued by the manufacturer (Feig terminals are using the name:Terminal Key Encryption Key X.509 certificate)Device Authentication Key Certificate(DAK-CERT) - issued by the manufacturer (Feig terminals are using the name:Terminal Authenticaton Key X.509 certificate)Device CA Certificate(DCA-CERT) - issued by the manufacturer (Feig terminals are using the name:Terminal Certification Authority X.509 certificate)Device Root CA Certificate(DRCA-CERT) - issued by the manufacturer (Feig terminals are using the name:FEIG Root Certification Authority X.509 certificate)
Terminals should also have the following private keys preloaded at the factory:
Device Key Encryption Key Private Key(DKEK-PRIV) - corresponding to theDKEK-CERTcertificate.Device Authentication Key Private Key(DAK-PRIV) - corresponding to theDAK-CERTcertificate.
Terminal Certificate Exchange Process with Sfey
- Sfey support should generate a DKSK-CSR (Device Key Signing Key Certificate Request) for this terminal type and send this to the supplier for receiving DKSK-CERT (Device Key Signing Certificate).
- Terminal supplier should provide a Device CA Certificate (DCA-CERT) used for issuing Device Authentication Key Certificates (DAK-CERT) used for establishing mTLS connecton from the terminal to the TPS. Sfey support should import this certificate to the AWS API Gateway truststore used for https://device.api.sfey.com/.
- Terminal supplier should provide a DRCA-CERT (Device Root CA Certificate) used for issuing DCA-CERT (Device CA Certificate). Sfey support should import this certificate to the TPS.
- Terminal supplier should provide a DHCA-CERT (Device HSM CA Certificate) used for issuing DKSK-CERT (Device Key Singing Certificate). Sfey support should import this certificate to the TPS.
- Terminal supplier should provide a DKSK-CERT (Device Key Signing Key Certificate) for DKSK-CSR created by Sfey. Sfey support should import this certificate to the TPS.
Accessing Device API
Terminals should use mutual TLS connections for accessing TPS Device API.
For establishing a mTLS connection, terminal should use DAK-CERT certificate.
Terminal Registration
For starting a registration process, terminal should call Device API Device Registration endpoint and send
the certificate DKEK-CERT together with the DCA-CERT to the TPS.
TPS responds back with the Device Key Signing Key Certificate (DKSK-CERT).
TPS also provides a full certificate chain for this certificate.
The Terminal should verify that a certificate chain is valid and store this certificate in the local keystore.
Key Exchange
When TPS sends keys to the terminal (via the Device API Update Data endpoint), then these keys will be signed with the
Device Key Signing Key Private Key (DKSK-PRIV) and encrypted with the
Device Key Encryption Key Public Key (DKEK-PUB).
Keys will be provided in the TR-34 keyblock format.
Terminal should use stored Device Key Encryption Key Private Key (DKEK-PRIV) for decrypting the key and
use stored Device Key Signing Key Certificate (DKSK-CERT) for verifying the signature.
The following keys will be sent via Device API Update Data endpoint:
- Tokenization Key (
SALT) - this key should be used by the terminal for calculating card token from the PAN. - Terminal Data Encryption Key (
IPEK) - this key should be used by the terminal for encrypting tap data before sending this to the TPS.
Summary of Keys and Certificates Used in the Terminal
Certificates
| Certificate | Short name | Issued by | Used by the terminal for |
|---|---|---|---|
| Device Root CA Certificate | DRCA-CERT | Validating DCA-CERT and DHCA-CERT | |
| Device CA Certificate | DCA-CERT | DRCA-CERT | Validating DKEK-CERT and DAK-CERT |
| Device Key Encryption Key Certificate | DKEK-CERT | DCA-CERT | Validating DKEK-PRIV key |
| Device HSM CA Certificate | DHCA-CERT | DRCA-CERT | Validating DKEK-PRIV key |
| Device Key Signing Key Certificate | DKSK-CERT | DHCA-CERT | Verifying signature of keys received from TPS |
| Device Authentication Key Certificate | DAK-CERT | DCA-CERT | Establishing mTLS connections |
Private keys
| Private Key | Short name | Corresponding Certificate | Used by the terminal for |
|---|---|---|---|
| Device Key Encryption Key | DKEK-PRIV | DKEK-CERT | Decrypting keys received from TPS |
| Device Authentication Key Private Key | DAK-PRIV | DAK-CERT | Establishing mTLS connections |
| Sfey Tokenization Key | SALT | - | Calculating card tokens |
| Sfey Data Encryption Key | IPEK | - | Encrypting transaction data |
🔖 Frequently Asked Questions
Can the DRCA-CERT be self-signed, or does it need to be signed by a public authority?
Yes, the DRCA-CERT can be self-signed. There is no requirement for it to be signed by a public authority.
What should be the expiry period for the DRCA and intermediate certificates?
The expiry period is up to your discretion. Terminal supplier must provide an updated CA certificate once the previous one expires. In practice, root CA certificates commonly have expiry periods of 10 to 25 years.
How should we handle certificate renewal upon expiry? Do both the device and server certificates need renewal?
Typically, the device certificate expires before the CA certificate. When a device certificate expires, a new device registration is required. During this process, the new CA certificate (if renewed) will be used automatically.