Managing certificates and keys for users

X.509 is a standard used to define digital certificates. EBICS Client supports use of X.509 to verify digital signatures. EBICS Client users can use one of the following certificate types:

• Self-signed certificates with hash algorithm SHA256
• CA-signed certificates

When X.509 certificate type is used for authentication, encryption, and ES of an EBICS Client user, an EBICS Client admin specifies appropriate public and private keys while configuring the user profile. The EBICS Client user then shares the public keys for ES with the bank through the INI (Initialization) order type and public keys for identification and authentication and encryption through the HIA order type.

When Keys are used for authentication, encryption, and ES of an EBICS Client user, an EBICS Client admin generates or uploads private keys while configuring the user profile. The EBICS Client user then shares the public keys for ES with the bank through the INI order type and public keys for identification and authentication and encryption through the HIA order type.

To create RSA Keys in DER format and to also add PKCS8 padding for the private key, use these commands EBICS Client user accounts:

• openssl genpkey -outform DER -out ebics_private.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
• openssl rsa -inform DER -in ebics_private.key -pubout -outform DER -out ebics_public.der
• openssl pkcs8 -topk8 -inform DER -in ebics_private.key -outform DER -nocrypt -out ebics_private_pkcs8.key

These certificates are also used:

• ebics_public.der - to be used as public key (Trusted Certificate)
• ebics_private_pkcs8.key : to be used as private key (System Certificate)