Certificates and Trusted CA Certificates - SecureApiGateway/SecureApiGateway GitHub Wiki

Conceptually each deployment requires a number of digital certificates. Some are used for SSL transport layer encryption and identification, and some are used to sign payloads to provide integrity and non-repudiation.

We have two different categories of endpoints in the system: Open Banking APIs, and other APIs and UIs (Non-Open Banking APIs). Each are protected by different certificates.

Open Banking APIs

The Open Banking APIs (in a production system) are protected by certificates issued and signed by the Open Banking Implementation Entity. These certificates are created by uploading certificate signing requests (CSRs) to the Open Banking Directory.

For an Open Banking sandbox/test facility, the CSRs are uploaded and signed by the Open Banking Test directory (the directory sandbox). The Root and intermediate certificates for this Test directory can be found here.

Open Banking Certificates

There are a number of different certificates that can be created (by uploading CSRs) by the Open Banking Directory:

• Transport Certificates: These are essentially SSL certificates. They are used to identify the entities involved and allow the creation of a secure Mutual Authentication TLS connection between them. There are two types available from the Open Banking Directory:

  • OBWAC certificates: The OBWAC certificate is a copy, or test version, of an eIDAS certificate and only identifies the Organisation that is connecting.
  • OB Transport certificates (legacy): The OB Transport certificate is issued to a specific Software Statement that belongs to an organisation in the Open Banking directory. This means it could be used to identify a specific application provided by a Third Party Provider (TPP). Do not use this legacy certificate.

• Signing Certificates: These are used to create digital signatures for API usage, specifically in the PISP or payment initiation APIs. Again there are two types of these certificates available from the Open Banking directory:

  • OBSeal certificates: The OBSeal certificate only identifies the Organisation initiating the payment.
  • OB Signing certificates (legacy): The OB Signing certificate is issued to a specific Software Statement that belongs to an organisation in the Open Banking directory. This means it could be used to identify a specific application that is initiating the payment. Do not use this legacy certificate.

See the following links for further information:

• Open Banking Directory Usage - eIDAS release (Production) - v1.9
• Keystore for further information on configuring the signing key and the transport key.

Non-Open Banking APIs

These APIs and UIs need to be protected with a standard SSL certificate issued by a trusted provider. This allows HTTPS connections for all UIs and other endpoints.