eIDAS Certificates

Under PSD2, ASPSPs will rely on eIDAS Qualified Seal Certificates (QSealCs) and Qualified Web Authentication Certificates (QWACs) to provide proof of origin, identity and data integrity services on payment initiation and account access requests and for Mutually Authenticated Transaction Layer Security (MTLS) and confidentiality for secure communications.

These Qualified Certificates will be issued by Qualified Trust Service Providers (QTSPs) in collaboration with NCAs who will provide the QTSPs with a registration number for the TPP, the PSD2 roles for which the TPP is authorised/registered and the identity of the NCA.

The existence of a Qualified Certificate is not sufficient to guarantee the identity of the owner nor the integrity of the data protected by the certificate. Each time the certificate is used and presented, the recipient must check that the certificate was issued by a QTSP, that the certificate has not expired and that the certificate has not been revoked.

Konsentus will check that the issuer of the certificate is a registered QTSP, that the certificate has not been revoked, by checking the QTSP’s Certificate Revocation List (CRL) or On-line Certificate Status Protocol (OCSP) server, that the certificate has not expired and what roles the TPP, identified in the certificate, is authorised/registered for.

The information in the certificate will be true at the time of issue but over time the roles for which the TPP is approved may change or be revoked. Therefore the eIDAS certificate cannot solely be relied upon to know the regulated status of a TPP.

This is why Konsentus always checks, in real-time, with the identified NCA what the approved and regulated status of a TPP is at the time of the transaction.

When a TPP makes an Account Information Service or a Payment Initiation Service request to an ASPSP, via an API or modified user interface, the ASPSP needs to be certain that the TPP is who they claim to be. This is achieved using eIDAS qualified certificates. These certificates will have been issued to the TPP by a QTSP who will have done a variety of checks on the TPP, including checking their regulated status on their Home NCA register, before issuing qualified certificates (QWAC and QSealC) to them.

eIDAS Certificate Contents

A PSD2 eIDAS certificate is formatted as an x.509 certificate with a number of extensions representing the PSD2 specific requirements of the certificate. Below are typical data elements that an eIDAS certificate will contain.

  • Subject Name
  • Issuer Name
  • Public Key Information
  • Electronic Signature of the QTSP
  • Roles of a PSP
  • NCA Name

What checks will Konsentus perform on a certificate?

When an ASPSP requests a TPP regulatory check from Konsentus the following checks will be performed on the certificate (regardless of whether the certificate is a QWAC or a QSealC). Konsentus will inform the ASPSP which of the checks the TPP certificate passed and which ones failed. The TPP certificate must pass all the checks to pass the overall eIDAS check.  Konsentus therefore checks:

  • It is from a trusted QTSP
  • Certificate expiry date
  • The certificate has not been tampered with
  • The TPP authorisation number
  • Revocation status of the certificate