How to generate eIDAS certificate using OpenSSL

TL;DR

• eIDAS Certificate Requirements: Many banks require Qualified Website Authentication Certificates (QWAC) or Qualified Electronic Seals (QSeal) with eIDAS-specific fields to access Open Banking environments. While you can purchase these certificates from qualified trust service providers (QTSPs), self-signed certificates often work in testing environments if they include the necessary eIDAS fields.

• Generating Certificates with OpenSSL: OpenSSL is a widely available tool that can generate self-signed eIDAS certificates with the required attributes for PSD2 compliance. We provide a configuration and command examples for creating a certificate signing request (CSR) and generating both QWAC and QSealC certificates.

• Troubleshooting for Compatibility: For users of older OpenSSL versions, the post offers troubleshooting tips, including an alternative configuration file setup, to help avoid errors when creating certificates without native support for certain fields.

Most of the banks would require you to provide QWAC and/or QSeal certificate in order to access their Open Banking sandboxes. You are able to purchase test eIDAS certificates from some QTSPs, but in most cases the banks don't require test certificates to be signed by a qualified trust service provider. So self-signed certificates would often work, but certain eIDAS-specific fields need to be present.

There are several tools open source utilities built by different people for generating test eIDAS certificates, but perhaps the easiest is to use OpenSSL command line interface available on most of the systems.

After this post was written, OpenSSL got updated and recent versions support organizationIdentifier, so it doesn't need to be defined separetely in the OIDs section of eidas.conf file. Corresponding changes are made to the examples below. The original eidas.conf for older OpenSSL versions is at the very end of this post.

PSD2 certificate attributes

ETSI TS 119 495(technical specification for eIDAS qualified certificates in relation to PSD2) requires organizationIdentifier and QCStatement attributes to be present in the certificates.

These attributes have their object identifiers (OID):

• organizationIdentifier — 2.5.4.97

• QCStatement — 0.4.0.1862

organizationIdentifier shall contain TPP ID in the format PSDXX-YYYY-ZZZZZZZZ, where

• XX is a 2 character ISO 3166-1 country code (for example, FI);

• YYYY is 2-8 character identifier of a national authority registeed the TPP;

• ZZZZZZZZ is the TPP's identifier as specified by the national authority (no restrictions on the characters).

QCStatement is a complex attribute consisting of several sub-attributes, but usually is not checked in sandbox environments, so we are describing it here.

Certificate Signing Request

In order to generate certificate we first need to create a certificate signing request (CSR). It's possible to put all attributes into configuration file and use it for generating both QWAC and QSealC.

Store the following example into eidas.conf file

oid_section = OIDs

[ req ]
distinguished_name = dn
prompt = no

[ OIDs ]
OrganizationID=2.5.4.97

[ dn ]
O=Enable Banking Oy
L=Espoo
C=FI
OrganizationID=PSDFI-FINFSA-29884997
CN=enablebanking.com

and run

openssl req -new -config eidas.conf -keyout eidas.key -out eidas.csr

You'll get eidas.csr (certificate signing request with all necessary information) and eidas.key (certificate private key).

You may need to run CSR generation twice in order to get different requests for QWA and QSeal certificates.

Values in the [ dn ] section are given just as an example and are to be replaced to correspond to your own organization.

Self-signed eIDAS certificate

And now you just need to generate your eIDAS certificate. Run the following command (2 times if you need 2 different certificates):

openssl x509 -req -in eidas.csr -signkey eidas.key -out eidas.crt

That's it! Now eidas.crt can be shared with banks requiring it.

Troubleshooting and older OpenSSL versions

If you encounter an error similar to the one below, it is likely you’re using an older version of OpenSSL that doesn’t yet support the organizationIdentifier.

4380315072:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:crypto/x509/x509name.c:252:name=organizationIdentifier

You can try to replace eidas.conf with the following (it defines organizationIdentifier inside itself).

oid_section = OIDs

[ req ]
distinguished_name = dn
prompt = no

[ OIDs ]
organizationIdentifier=2.5.4.97

[ dn ]
O=Enable Banking Oy
L=Espoo
C=FI
organizationIdentifier=PSDFI-FINFSA-29884997
CN=enablebanking.com

In case you still have problems using the solution, write a comment to the post or ask on Stackoverflow with tag (enablebanking).