Managing certificates and keys for users
EBICS Client supports both Keys and X.509 certificate types for user's identification and authentication, encryption, and electronic signatures.
EBICS Client supports the following versions:
- Electronic signature - A005 and A006
- Identification and authentication - X002
- Encryption - E002
Certificates
X.509
is a standard used to define digital certificates. EBICS Client supports
use of X.509 to verify digital signatures. EBICS Client users can
use one of the following certificate types:
- Self-signed certificates with hash algorithm SHA256
- CA-signed certificates
When X.509 certificate type is used for authentication,
encryption, and ES of an EBICS Client user, an EBICS Client admin
specifies appropriate public and private keys while configuring the
user profile. The EBICS Client user then shares the public keys for
ES with the bank through the INI (Initialization) order type and public
keys for identification and authentication and encryption through
the HIA order type.
Note: Self-signed certificates cannot be used for
electronic signatures and consequently for user initialization (INI
order type). An EBICS Client user using self-signed certificates for
identification and authentication and encryption, has to use CA certificates
for electronic signatures.
EBICS Client supports hardware keystore for electronic signature certificate. The hardware keystore support is available only for 3SKey hardware key type.
Keys
When Keys are used for authentication,
encryption, and ES of an EBICS Client user, an EBICS Client admin generates or uploads private keys
while configuring the user profile. The EBICS Client user then shares the public keys for ES with
the bank through the INI order type and public keys for identification and authentication and
encryption through the HIA order type.
Note: Use a third-party tool to generate the
keys.
To create RSA Keys in DER format and to also add PKCS8 padding for the private
key, use these commands EBICS Client user accounts:
- openssl genpkey -outform DER -out ebics_private.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
- openssl rsa -inform DER -in ebics_private.key -pubout -outform DER -out ebics_public.der
- openssl pkcs8 -topk8 -inform DER -in ebics_private.key -outform DER -nocrypt -out ebics_private_pkcs8.key
These certificates are also used:
- ebics_public.der - to be used as public key (Trusted Certificate)
- ebics_private_pkcs8.key : to be used as private key (System Certificate)