Skip to content
/ eidas Public

📡 🔧 Tools for reading and creating eIDAS certificate signing requests

License

MIT license
29 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

apple/eidas

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

124 Commits
.circleci
.circleci
 
 
cmd/cli
cmd/cli
 
 
docs
docs
 
 
qcstatements
qcstatements
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
csr.go
csr.go
 
 
csr_test.go
csr_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

CircleCI Go Reference Go Report Card

eIDAS

Tools for reading and creating eIDAS certificate signing requests

Generating a Certificate Signing Request (CSR)

With Docker:

docker run -v $(pwd):/work --network none creditkudos/eidas \
  -country-code GB \
  -organization-name "Your Organization Limited" \
  -organization-id PSDGB-FCA-123456 \
  -common-name 0123456789abcdef

With go (requires go 1.11 or higher):

go get github.com/creditkudos/eidas/cmd/cli
go run github.com/creditkudos/eidas/cmd/cli \
  -country-code GB \
  -organization-name "Your Organization Limited" \
  -organization-id PSDGB-FCA-123456 \
  -common-name 0123456789abcdef

Open Banking Flags

  • -common-name should be the same as the organisation_id field from your entry in the Open Banking Directory.
  • -organization-id should be in the form of PSD<Regulator Country Code>-<Regulator>-<Unique ID>
  • -organization-name should be your official company name.
  • -country-code should be an ISO 3166-1 alpha-2 country code.

Other flags

You can see the available flags with

go run github.com/creditkudos/eidas/cmd/cli -help

By default this will generate two files: out.csr and out.key containing the CSR and the private key, respectively.

It will also print the SHA256 sum of the CSR to stdout.

To print out the details of the CSR for debugging, run:

openssl req -in out.csr -text -noout -nameopt multiline

Notes on CSR format

For both QWAC and QSEAL types the following attributes are required in the CSR:

Subject

  • Must contain country code, organisation name and common name.
  • Must also contain the organisation ID. Organisation ID (ITU-T X.520 10/2012 Section 6.4.4) isn't supported by most tools by default (including OpenSSL and go) but this can be added to the subject as a custom name with the ASN.1 OID of 2.5.4.97. Should be something like PSDGB-FCA-123456.
  • It's not specified in the standards (AFAICT) but these should be in a defined order:
    1. Country Code (C=)
    2. Organization Name (O=)
    3. Organization ID (2.5.4.97=)
    4. Common Name (CN=)

Key Parameters

  • Key should be 2048-bit RSA.
  • Signature algorithm should be SHA256WithRSA.

Extensions

Key Usage

  • X509v3 Key Usage extension should be marked as critical.
QWAC QSEAL
Digital Signature Digital Signature
Non Repudiation

Extended Key Usage

QWAC QSEAL
TLS Web Server Authentication
TLS Web Client Authentication

Note: For QSEAL, a CSR is expected to not have an extended key usage section at all, rather than an empty one.

Subject Key Identifier

  • Should be the 160-bit SHA1 sum of the PKCS1 public key.

qcStatements

This is an extension used by eIDAS as documented here ETSI TS 119 495 Annex A. The required parameters included in this are the Competent Authority's name and ID, e.g. "Financial Conduct Authority" and "GB-FCA", and the roles the TPP requires, e.g. "PSP_AI" (Account Information).

About

📡 🔧 Tools for reading and creating eIDAS certificate signing requests

Topics

tools ck

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

29 stars

Watchers

19 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages