Changing Safaricom API C2B Validation and Confirmation URLs

For those who have integrated into Safaricom’s M-Pesa C2B APIs via both Daraja or Broker, you may need to change the URLs probably due to change/relocation of servers or location of your services. The steps involved are just a few as laid out below. You must be the owner of the actual Paybill receiving payments to be able to request the change of URLs.

  • Write a letter to APIfeedback@safaricom.co.ke using the business/company’s official letterhead requesting for a change in URLs
  • Include the Paybill number whose URLs are being replaced and new/replacement URLs, specifying which is the validation URL and which is the confirmation URL. If you are on Broker, also include the SPID used to register the URLs in the first place.
  • Send an email with the above letter scanned into PDF to APIfeedback@safaricom.co.ke.
  • They should respond to you after the request has been processed informing you to register your new URLs asap.

M-Pesa Portal Certificates

Safaricom’s M-Pesa portal, located at https://org.ke.m-pesa.com, requires you to have a pre-installed certificate that identifies you as a “valid” entity. If you have tried accessing this site and getting something similar to the below error or another access error/failure, it means the portal has refused your connection request due to absence of the SSL Certificate identifying you.

Fig. 1: M-Pesa portal error

To acquire this certificate, these are the steps to follow:

  • Send a blank email to M-PESACertpassword@safaricom.co.ke
  • You will receive an email in response after a short while (3-10 minutes) from the same email with a username and password like the one shown below (Fig. 2):
  • Go to the site https://vmtke.ca.vodafone.com/certsrv using Internet Explorer browser. Using any other browser will shout out a warning similar to “You are not using Internet Explorer. This application will not work correctly” or worse, fail with an error along the lines of “This page has not finished loading yet” as the site still uses VB on the back-end, which is not supported by any other browser (imagine that ­čĹ┐ ). The browser will ask you for a username and password. Use the details received in the email above. The password is changed every week as specified in the email. If by any chance you cancelled the first username/password request,and subsequent requests automatically cancel, clear cookies and restart your IE browser, then try again.
Fig. 2: M-Pesa automated reply
  • Fill in the details as requested by the site, then press on Submit.
  • If you face any issues on submission e.g. the page shows the loading error below (Fig. 3), it means the browser is not yet compatible or has blocked some elements of the site. Try the steps shown after this to try and fix the problem
    • Go to Tools -> Compatibility View Settings
    • Add the site vodafone.com to the Compatibility View list
    • Go to Tools -> Internet Options -> Advanced
    • Under the Settings section, look for the options Use SSL 3.0, Use TLS 1.0, ┬áUse TLS 1.1 and Use TLS 1.2 and check them all.
    • Go to Tools -> Internet Options -> Security
    • Click on Trusted Sites zone, then click on Sites under it
    • Add the site https://vmtke.ca.vodafone.com to the zone list, then click on OK
    • On the same tab, under Trusted Sites, click on Default Level to reset the security level defaults and show the levels slider, then set the Security level to Low┬áon┬áthe┬áslider
    • Restart/reopen your IE browser
  • Try submitting again. If the page submits successfully, the site might show you the message shown below (Fig. 4). If so, click on Yes.┬áThe┬áresulting page then displays some info including a Request ID which can be used to track the request later on (Fig. 5).
  • Then you shall wait for between 2 – 10 days for them to process the application.
  • Once in a while, go back to the same site and click on the View the status of a pending certificate request link to view pending requests. If your request is processed, you shall get a download/install link for your certificate which you can use to download the certificate to install elsewhere, or simply install into IE if you prefer to use that browser for logging into your portal.
Fig. 3: IE Site Loading error

To install the certificate:

  • IE allows you to install the certificate automatically, but for other users, they need to download the certificate to their machines and perform the installation manually. Google for how to install custom certificates for your respective browser. The team has also provided documents on how to import and install the certificate (attached below)
  • Try loading the site https://org.ke.m-pesa.com/ again. It will ask you whether to use the newly installed certificate to identify you. Accept the prompt and you are good to go!
Fig 4. Site Confirmation Prompt
Fig. 5: Request ID received

This certificate can be installed and used on multiple machines within the same organization, thus eliminating the need to apply for a certificate for each machine BUT requires the private key associated with the certificate to be also exported. This is tricky, and requires some technical know-how. The site https://org.ke.m-pesa.com can also be run on any site able to execute JSP code and accepts custom certificates.

Hope this helps ­čÖé