How to generate eIDAS certificate using OpenSSL

Most of the banks would require you to provide QWAC and/or QSeal certificate in order to access their Open Banking sandboxes. You are able to purchase test eIDAS certificates from some QTSPs, but in most cases the banks don't require test certificates to be signed by a qualified trust service provider. So self-signed certificates would often work, but certain eIDAS-specific fields need to be present.

There are several tools open source utilities built by different people for generating test eIDAS certificates, but perhaps the easiest is to use OpenSSL command line interface available on most of the systems.

After this post was written, OpenSSL got updated and recent versions support organizationIdentifier, so it doesn't need to be defined separetely in the OIDs section of eidas.conf file. Corresponding changes are made to the examples below. The original eidas.conf for older OpenSSL versions is at the very end of this post.

PSD2 certificate attributes

ETSI TS 119 495(technical specification for eIDAS qualified certificates in relation to PSD2) requires organizationIdentifier and QCStatement attributes to be present in the certificates.

These attributes have their object identifiers (OID):

  • organizationIdentifier — 2.5.4.97

  • QCStatement — 0.4.0.1862

organizationIdentifier shall contain TPP ID in the format PSDXX-YYYY-ZZZZZZZZ, where

  • XX is a 2 character ISO 3166-1 country code (for example, FI);

  • YYYY is 2-8 character identifier of a national authority registeed the TPP;

  • ZZZZZZZZ is the TPP's identifier as specified by the national authority (no restrictions on the characters).

QCStatement is a complex attribute consisting of several sub-attributes, but usually is not checked in sandbox environments, so we are describing it here.

Certificate Signing Request

In order to generate certificate we first need to create a certificate signing request (CSR). It's possible to put all attributes into configuration file and use it for generating both QWAC and QSealC.

Store the following example into eidas.conf file

oid_section = OIDs

[ req ]
distinguished_name = dn
prompt = no

[ OIDs ]
OrganizationID=2.5.4.97

[ dn ]
O=Enable Banking Oy
L=Espoo
C=FI
OrganizationID=PSDFI-FINFSA-29884997
CN=enablebanking.com

and run

openssl req -new -config eidas.conf -keyout eidas.key -out eidas.csr


You'll get eidas.csr (certificate signing request with all necessary information) and eidas.key (certificate private key).

You may need to run CSR generation twice in order to get different requests for QWA and QSeal certificates.

Values in the [ dn ] section are given just as an example and are to be replaced to correspond to your own organization.

Self-signed eIDAS certificate

And now you just need to generate your eIDAS certificate. Run the following command (2 times if you need 2 different certificates):

openssl x509 -req -in eidas.csr -signkey eidas.key -out eidas.crt

That's it! Now eidas.crt can be shared with banks requiring it.

Troubleshooting and older OpenSSL versions

In case you are getting error like the following, you probably have old OpenSSL that doesn't yet support organizationIdentifier.

4380315072:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:crypto/x509/x509name.c:252:name=organizationIdentifier

You can try to replace eidas.conf with the following (it defines organizationIdentifier inside itself).

oid_section = OIDs

[ req ]
distinguished_name = dn
prompt = no

[ OIDs ]
organizationIdentifier=2.5.4.97

[ dn ]
O=Enable Banking Oy
L=Espoo
C=FI
organizationIdentifier=PSDFI-FINFSA-29884997
CN=enablebanking.com

In case you still have problems using the solution, write a comment to the post or ask on Stackoverflow with tag (enablebanking).

Previous
Previous

Dynamic client registration via bank's API with eIDAS certificates