# How to generate eIDAS certificate using OpenSSL
Most of the banks would require you to provide QWAC and/or QSeal certificate in order to access their Open Banking sandboxes. You are able to purchase test eIDAS certificates from some QTSPs, but in most cases the banks don't require test certificates to be signed by a qualified trust service provider. So self-signed certificates would often work, but certain eIDAS-specific fields need to be present.
There are several tools open source utilities built by different people for generating test eIDAS certificates, but perhaps the easiest is to use OpenSSL command line interface available on most of the systems.
After this post was written, OpenSSL got updated and recent versions support
organizationIdentifier, so it doesn't need to be defined separetely in the OIDs section of
eidas.conf file. Corresponding changes are made to the examples below. The original
eidas.conf for older OpenSSL versions is at the very end of this post.
# PSD2 certificate attributes
ETSI TS 119 495 (opens new window) (technical specification for eIDAS qualified certificates in relation to PSD2) requires organizationIdentifier and QCStatement attributes to be present in the certificates.
These attributes have their object identifiers (OID):
- organizationIdentifier — 22.214.171.124
- QCStatement — 0.4.0.1862
organizationIdentifier shall contain TPP ID in the format
- XX is a 2 character ISO 3166-1 country code (for example, FI);
- YYYY is 2-8 character identifier of a national authority registeed the TPP;
- ZZZZZZZZ is the TPP's identifier as specified by the national authority (no restrictions on the characters).
QCStatement is a complex attribute consisting of several sub-attributes, but usually is not checked in sandbox environments, so we are describing it here.
# Certificate Signing Request
In order to generate certificate we first need to create a certificate signing request (CSR). It's possible to put all attributes into configuration file and use it for generating both QWAC and QSealC.
Store the following example into
oid_section = OIDs [ req ] distinguished_name = dn prompt = no [ OIDs ] OrganizationID=126.96.36.199 [ dn ] O=Enable Banking Oy L=Espoo C=FI OrganizationID=PSDFI-FINFSA-29884997 CN=enablebanking.com
openssl req -new -config eidas.conf -keyout eidas.key -out eidas.csr
eidas.csr (certificate signing request with all necessary information) and
eidas.key (certificate private key).
You may need to run CSR generation twice in order to get different requests for QWA and QSeal certificates.
Values in the [ dn ] section are given just as an example and are to be replaced to correspond to your own organization.
# Self-signed eIDAS certificate
And now you just need to generate your eIDAS certificate. Run the following command (2 times if you need 2 different certificates):
openssl x509 -req -in eidas.csr -signkey eidas.key -out eidas.crt
That's it! Now
eidas.crt can be shared with banks requiring it.
# Troubleshooting and older OpenSSL versions
In case you are getting error like the following, you probably have old OpenSSL that doesn't yet support
4380315072:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:crypto/x509/x509name.c:252:name=organizationIdentifier
You can try to replace
eidas.conf with the following (it defines
organizationIdentifier inside itself).
oid_section = OIDs [ req ] distinguished_name = dn prompt = no [ OIDs ] organizationIdentifier=188.8.131.52 [ dn ] O=Enable Banking Oy L=Espoo C=FI organizationIdentifier=PSDFI-FINFSA-29884997 CN=enablebanking.com
In case you still have problems using the solution, write a comment to the post or ask on Stackoverflow (opens new window) with tag