A certificate for the OAuth 2.0 client credentials flow must contain two parts:
- Public part – an Administrator or a user with the OAuth 2.0 Authorized Applications Management permission uploads the public part of the certificate as part of the client credentials flow mapping process.
- Private part – The private part of the certificate provides the signature of the JWT token in the POST request to the token endpoint.
The certificate must meet the following requirements:
- The public part of the certificate must be in x.509 format with a file extension of .cer, .pem, or .crt.
- The length of the RSA key must be 3072 bits, or 4096 bits. The length of EC key must 256 bits, 384 bits, or 521 bits.
- The maximum certificate validity is two years. If the certificate is valid for a longer time period, the system automatically shortens the validity to two years.
- One certificate can only be used for one combination of integration record, role, and entity. If you want to use the same integration record for multiple entities or roles, you must use a different certificate for each unique combination.