Create a CSR (Certificate Signing Request)

Using the PSD2 API requires a valid eIDAS certificate (QWAC) to validate your TPP registration. If you are currently in the process of obtaining a PSD2 license, but you do not have a valid QWAC yet, you can request a test certificate. Using this certificate you will be able to try out the PSD2 API sandbox.

Obtaining the certificate involves the following steps:

Create a CSR (Certificate Signing Request).
Send the CSR via the feedback form of the developer portal.
Optionally you will be asked to send additional documents, that proof that you are in the process of obtaining a TPP license.
Afterwards we will send you the demo certificate.

Create a CSR

A CSR or Certificate Signing Request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair. In this description we will use OpenSSL to perform the required steps to create a CSR.

First generate a private key with the following command:
```
openssl genpkey -algorithm RSA -des3 -out private_demo.key -pkeyopt rsa_keygen_bits:4096
```
Please make sure that the generated private key is stored in a secure place.
In the next step create a text file (my_demo_csr.cfg), that contains the information about your company:
my_demo_csr.cfg
```
oid_section = OIDs

[ req ]
distinguished_name = req_distinguished_name
prompt = no

[ OIDs ]
OrganizationIdentifierOID=2.5.4.97

[ req_distinguished_name ]
C = DE
L = Munich
O = TPP client
CN = website.clientpp.com
OrganizationIdentifierOID = PSDDE-NDGIT-{client-id}
```
Please change entries C/L/O/CN/OrganizationIdentifierOID according to your company name and location.
Attention
1. for OrganizationIdentifierOID please preserve PSDDE-NDGIT-{client-id} format, while {client-id} (in the example line 15) should be replaced with your ID at the NCA or any other unique name (like e.g. your company name: PSDDE-NDGIT-MyCompanyName).
2. for CN please use the domain (w/o using protocol like e.g. “https://”) that also provides access to your redirect URIs (if you will use such during the strong customer authentication (SCA)) otherwise API requests containing non-matching redirect URIs will get rejected.

In the third step generate the CSR with the following command:

openssl req -new -key private_demo.key -out demo.csr -config my_demo_csr.cfg

In case you face the following error:

problem creating object OrganizationIdentifierOID=2.5.4.97
4651048384:error:08064066:object identifier routines:OBJ_create:oid exists:crypto/objects/obj_dat.c:709:

Then you are using one of the latest versions of OpenSSL which has OID 2.5.4.97 already included.

To solve this, please use the adapted version of the config file:

my_demo_csr.cfg

[ req ]
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
C = DE
L = Munich
O = TPP client
CN = website.clientpp.com
organizationIdentifier = PSDDE-NDGIT-{client-id}

Then you should be able to generate the CSR without getting an error.

The content of the resulting file demo.csr should look similar to this one:

demo.csr

Send the CSR

Afterwards send the created CSR via the feedback form in the developer portal. Please put the CSR into the subscription section.

Optional: Provide additional Documents

If the information you provided is not sufficient to prove your TPP status, we might ask you to provide additional documents.

Receive Demo Certificate

Finally, we will send you a signed certificate, which you can use to test the PSD2 sandbox.