Secure connections between partners To ensure secure data exchange with KeyBank, all API integrations require mutual Transport Layer Security (mTLS) certification. mTLS is a two-way authentication mechanism that uses digital certificates signed using the public key infrastructure (PKI) framework. to verify both your system and KeyBank, protecting sensitive financial data.Basically, certificates verify both your system and KeyBank to protect the exchange of sensitive financial data. With mTLS:You prove your identity to KeyBank using a certificate and a private key.KeyBank proves its identity to you using its server certificates.Both parties must trust each other before any data is exchanged. Certificate requirements To connect to KeyBank APIs, you must provide:KeyBank requires a public certificate chain from the client that meets the following requirements:A complete certificate chain (leaf, intermediate, and root certificates) in one file (for example, client_chain.pem, client_chain.crt, or client_chain.cer).A private key (client.key) that is securely stored and never shared.A Certificate Signing Request (CSR) generated from your private key.Certificates issued by a trusted Certificate Authority (CA). Self-signed certificates are not accepted.A certificate authority (CA) is a digital notary for certificates issued by a trusted third party. KeyBank recommends DigiCert, Verisign, Comodo, Entrust, GeoTrust, GlobalSign, GoDaddy, SecureTrust, or USERTrust (Sectigo).Certificate chain definitionsThe certificate chain must be in the following order:Leaf certificate: This is your unique mTLS client certificate for your domain or application, issued to you by the Certificate Authority (CA).Intermediate certificate: This certificate links your end-entity to the root, issued to you by the CA. There can be one or more intermediates in the chain.Root certificate: This is the trusted root of the CA certificate. This is usually present in your client’s trust store. There is no need to include it in your server configuration. Maintenance and renewal You are responsible for monitoring the health and expiration of your certificates. To avoid service interruptions, renew and update your certificates before they expire.We recommend setting reminders 60–90 days prior to expiration and coordinating renewal with KeyBank at least 30 days before the certificate expires. This ensures uninterrupted API service.