CertificateDownloader
v1.2.0
Certificate Downloader is a command line download tool for Java WeChat Payment APIv3 platform certificates. This tool can obtain merchant-available certificates from the https://api.mch.weixin.qq.com/v3/certificates interface, decrypt them using the APIv3 key and AES_256_GCM algorithm, and download the decrypted certificate to the specified location.
This tool uses wechatpay-apache-httpclient, Maven, picocli, gson, lombok and other libraries.
This tool has been packaged into CertificateDownloader.jar through Maven and can be downloaded in the release.
After downloading the jar package, if you do not have a certificate, the command to download the certificate for the first time is as follows. For specific instructions, please see the FAQ - Download the certificate for the first time:
java -jar CertificateDownloader.jar -k ${apiV3key} -m ${mchId} -f ${mchPrivateKeyFilePath} -s ${mchSerialNo} -o ${outputFilePath}If you already have a WeChat payment platform certificate, the complete command is as follows:
java -jar CertificateDownloader.jar -k ${apiV3key} -m ${mchId} -f ${mchPrivateKeyFilePath} -s ${mchSerialNo} -o ${outputFilePath} -c ${wechatpayCertificateFilePath}
The required parameters are:
-f <privateKeyFilePath> , merchant API private key file path-k <apiV3Key> , the key for certificate decryption-m <merchantId> , merchant number-o <outputFilePath> , the path to save the certificate-s <merchantSerialNo> , the serial number of the merchant’s API certificateNon-required parameters are:
-c <wechatpayCertificatePath> , the path of the WeChat payment platform certificate. If you do not have a certificate yet, please do not pass this parameter yet. You can also run java -jar CertificateDownloader.jar -h and view the help:
The tool takes the following security measures:
After downloading the certificate, if you are still worried about certificate errors, you can:
Use the openssl tool to verify the platform certificate through the certificate trust chain:
First, download the platform certificate trust chain CertTrustChain.p7b from the WeChat payment merchant platform and convert it to pem certificate format:
openssl pkcs7 -print_certs -in CertTrustChain.p7b -inform der -out CertTrustChain.pemThen, -CAfile file specifies trusted certificates to verify the downloaded platform certificate:
openssl verify -verbose -CAfile ./CertTrustChain.pem ./WeChatPayPlatform.pemFor WeChat payment responses, the platform certificate needs to be used for signature verification; however, the platform certificate can only be downloaded through the platform certificate acquisition interface, so when you go to obtain the certificate for the first time, an "infinite loop" will appear.
In order to solve this "infinite loop", you can temporarily skip the signature verification to obtain the certificate. That is to say, you can download the WeChat payment certificate without providing the parameter (-c parameter). After downloading the certificate, the tool will use the downloaded certificate to verify the signature of the message.
After downloading the certificate for the first time, we strongly recommend referring to how to verify the platform certificate through the certificate trust chain to verify the authenticity of the certificate.
some:
