Unable to upload CSR/Certificates to the Open Banking Directory
Solved this by generating a CSR on OpenSSL with the corresponding config files. eiDAS formatting is essential.
Commands:
req -new -config "obseal.cnf" -out "Seal.csr" -keyout "SealPrivateKey.key"req -new -config "obwac.cnf" -out "WAC.csr" -keyout "WACPrivateKey.key"
Per BenTaylor's question above, OBWAC and OBSEAL have a hidden gem in their make up in the form of QCStatements that map the roles specified in a Software Statement Assertion to the roles that the resultant certificates from a CSR have specified in their qcStatement
OID. Here's an example of a CNF for OBSEAL:
[ req ]default_bits = 2048encrypt_key = nodefault_md = sha256default_keyfile = obseal.keyutf8 = yesstring_mask = utf8onlyprompt = nodistinguished_name = client_dnreq_extensions = client_reqext[ client_dn ]countryName = "GB"organizationName = "Typical O name"# Subject common namecommonName = "<Open Banking Directory Org ID>"[ client_reqext ]keyUsage = critical,digitalSignature,nonRepudiationsubjectKeyIdentifier = hashqcStatements=DER:30713013060604008e4601063009060704008e46010602305a06060400819827023050303930110607040081982701020c065053505f504930110607040081982701030c065053505f414930110607040081982701040c065053505f49430c0c4f70656e2042616e6b696e670c0547422d4f42
If you paste the above binary code into an ASN1 decoder, you'll see the following structure emerge:
SEQUENCE (2 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 0.4.0.1862.1.6 SEQUENCE (1 elem) OBJECT IDENTIFIER 0.4.0.1862.1.6.2 SEQUENCE (2 elem) OBJECT IDENTIFIER 0.4.0.19495.2 SEQUENCE (3 elem) SEQUENCE (3 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 0.4.0.19495.1.2 UTF8String PSP_PI SEQUENCE (2 elem) OBJECT IDENTIFIER 0.4.0.19495.1.3 UTF8String PSP_AI SEQUENCE (2 elem) OBJECT IDENTIFIER 0.4.0.19495.1.4 UTF8String PSP_IC UTF8String Open Banking UTF8String GB-OB
The nodes PSP_*
map OBWAC/OBSEAL certificates to software statement roles in what appears to be the following manner:
PSP_PI
=PISP
PSP_AI
=AISP
PSP_IC
=CBPII
You can use an ASN1 editor to edit/delete nodes and derive the binary as required for both OBWAC and OBSEAL. Just bang in the binary minus the qcStatement=DER:
part and be done with it. You can view the structure of the qcStatement using this web site too.
Another note is that unlike an eIDAS QSeal cert, the maximum key length for an OBSEAL seems to be 2048
bits.
Hopefully someone will find this useful as UK banks start to discard the old Open Banking signing/transport keys and implement eIDAS/OBWAC+SEAL instead. Good luck and let the fun begin. o7
I have the same problem at the moment in production sandbox and the open banking is not showing any relevant errors.
Using OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020And following this here which pops up over the upload field.
And following this pdf link for documentation which pops up over the upload field.
[ req ] default_bits = 2048 encrypt_key = yes default_md = sha256 utf8 = yes string_mask = utf8only prompt = no distinguished_name = client_dn req_extensions = client_reqext [ client_dn ] countryName = "GB" organizationName = "My bank Ltd" organizationIdentifier = "OBGBR-GB-Unknown1315H25731lXE8ZIEM" commonName = "Unknown1315H25731lXE8ZIEM" [ client_reqext ] keyUsage = critical,digitalSignature,nonRepudiation subjectKeyIdentifier = hash qcStatements=DER:3081813013060604008e4601063009060704008e46010603306a06060400819827023060303930110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701030c065053505f41490c1b46696e616e6369616c20436f6e6475637420417574686f726974790c0647422d464341
The differences that i can see is with the definition of organizationIdentifier. In the docs they show how to define it if using tool that does not support it but the current version of OpenSSl does support it. So when printed with:
openssl asn1parse -in obwac.csr -inform PEM
Example in pdf:
66:d=5 hl=2 l= 3 prim: OBJECT :2.5.4.97 71:d=5 hl=2 l= 34 prim: UTF8STRING :PSDGB-OB-Unknown1315H25731lXE8ZIEM
New version of OpenSSL:
66:d=5 hl=2 l= 3 prim: OBJECT :organizationIdentifier 71:d=5 hl=2 l= 34 prim: UTF8STRING :OBGBR-GB-Unknown1315H25731lXE8ZIEM