Managing certificates and keys for users
EBICS Client supports both Keys and X.509 certificate types for user's identification and authentication, encryption, and electronic signatures.
EBICS Client supports the following versions:
- Electronic signature - A005 and A006
- Identification and authentication - X002
- Encryption - E002
Certificates
X.509
is a standard used to define digital certificates. EBICS Client supports
use of X.509 to verify digital signatures. EBICS Client users can
use one of the following certificate types:
- Self-signed certificates with hash algorithm SHA256
- CA-signed certificates
When X.509 certificate type is used for authentication,
encryption, and ES of an EBICS Client user, an EBICS Client admin
specifies appropriate public and private keys while configuring the
user profile. The EBICS Client user then shares the public keys for
ES with the bank through the INI (Initialization) order type and public
keys for identification and authentication and encryption through
the HIA order type.
Note: Self-signed certificates cannot be used for
electronic signatures and consequently for user initialization (INI
order type). An EBICS Client user using self-signed certificates for
identification and authentication and encryption, has to use CA certificates
for electronic signatures.
EBICS Client supports hardware keystore for electronic signature certificate. The hardware keystore support is available only for 3SKey hardware key type.
Keys
When Keys
are used for authentication, encryption, and ES of an EBICS Client
user, an EBICS Client admin generates or uploads private keys while
configuring the user profile. The EBICS Client user then shares the
public keys for ES with the bank through the INI order type and public
keys for identification and authentication and encryption through
the HIA order type.
Note: Use a third-party tool to generate the keys.