Validate Certificate by using Order Types
You can validate certificates by using different order types such as INI, HIA, FUL, or FDL.
INI and HIA
When processing the INI order type, the EBICS client sends its ES certificate to the server. When processing the HIA order type, the EBICS client sends its authentication and encryption certificates to the server.
The server validates the certificates for integrity before storing them in the server database. If all the certificates (ES, authentication, and encryption) are CA-signed and the user is configured as a signatory, the status of the user is automatically set to ‘Ready' after successful processing of the INI and HIA order types.
If any of the certificates is self-signed, the server validates the hash value of the certificate against the hash value stored in the initialization letter.
When processing the FUL order type, after the initialization phase, the transfer phase is asynchronous. The client can upload multiple segments of order data. The order data can be signed by multiple signatories. The signatory may not be the submitter of FUL.
If the Prevalidate parameter in the server is set to ‘On', the server unpacks and validates the ES certificates in the initialization phase before the client sends the order data. A partial validation (OCSP or CRL) is done at the transfer phase.
If the Prevalidate parameter in the server is set to ‘Off', the server does not unpack the ES certificates and validates the certificates at the transfer phase.
The server validates the ES certificates that are used to sign the order data. If the ES certificate of the FUL submitter is not used to sign the order data, the server does not validate the ES certificate.
When processing the FDL order type, the server packs the order data to enable the client to download the order data. The authentication certificate is validated at each phase and the encryption certificate is validated at the initialization and transfer phases.
The encryption certificate of the client is used to encrypt the order data and is not signed. Therefore, the server performs a full validation on the authentication and encryption certificates.