Managing certificates and keys for users

EBICS Client supports both Keys and X.509 certificate types for user's identification and authentication, encryption, and electronic signatures.

EBICS Client supports the following versions:
  • Electronic signature - A005 and A006
  • Identification and authentication - X002
  • Encryption - E002

Certificates

X.509 is a standard used to define digital certificates. EBICS Client supports use of X.509 to verify digital signatures. EBICS Client users can use one of the following certificate types:
  • Self-signed certificates with hash algorithm SHA256
  • CA-signed certificates
When X.509 certificate type is used for authentication, encryption, and ES of an EBICS Client user, an EBICS Client admin specifies appropriate public and private keys while configuring the user profile. The EBICS Client user then shares the public keys for ES with the bank through the INI (Initialization) order type and public keys for identification and authentication and encryption through the HIA order type.
Note: Self-signed certificates cannot be used for electronic signatures and consequently for user initialization (INI order type). An EBICS Client user using self-signed certificates for identification and authentication and encryption, has to use CA certificates for electronic signatures.

EBICS Client supports hardware keystore for electronic signature certificate. The hardware keystore support is available only for 3SKey hardware key type.

Keys

When Keys are used for authentication, encryption, and ES of an EBICS Client user, an EBICS Client admin generates or uploads private keys while configuring the user profile. The EBICS Client user then shares the public keys for ES with the bank through the INI order type and public keys for identification and authentication and encryption through the HIA order type.
Note: Use a third-party tool to generate the keys.
To create RSA Keys in DER format and to also add PKCS8 padding for the private key, use these commands EBICS Client user accounts:
  • openssl genpkey -outform DER -out ebics_private.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
  • openssl rsa -inform DER -in ebics_private.key -pubout -outform DER -out ebics_public.der
  • openssl pkcs8 -topk8 -inform DER -in ebics_private.key -outform DER -nocrypt -out ebics_private_pkcs8.key
These certificates are also used:
  • ebics_public.der - to be used as public key (Trusted Certificate)
  • ebics_private_pkcs8.key : to be used as private key (System Certificate)