Table of Contents

...

Where can I find the Open Banking root and issuing certificates?

They can be downloaded from this confluence page in the Collaboration space: /wiki/spaces/OBT/pages/1144294132

What is the Organization for the Directory transport certificates?

The Organization for the chain are:-

What is the organization unit (OU) for the Directory transport certificates?

The OUs for the chain are:-

What are the Common Name (CN) for the OBIE domains to perform the TLS MA handshake?

For MATLS for OBIE Directory services, the Directory presents a legacy OBIE transport certificate.

The common names for the chain are:-

What is the Common Name (CN) for the OBIE legacy signing certificate?

The common name = signing.

CSR validation

What CSR (certificate signing request) validation is undertaken?

This depends on the certificate type. For OB legacy transport and signing certs we check that:-

The incoming CSR contains an RSA public key of 2048 bits.
The Distinguished name contains the org id in OU and software statement id in CN.
If the CSR contains a Subject Alternate Name that the requesting org is an ASPSP.

For OBWAC/OBSEAL we check that:-

The incoming CSR contains an RSA public key of 2048 bits.
The Distinguished name contains the ETSI organizationIdentifier in its own field, and OB org ID is in the CN.
The QC Statement indicates that the type of cert (WAC/SEAL) is consistent with the requested type.
The QC Statement does not claim any PSD2 roles that the organisation does not have.

Both categories will also do simple checks, e.g., all expected name components are present, not duplicated, in the right order, etc. etc.

QTSP certificates and services

...

DigiCert have posted a very helpful blog that describes the problemsproblem: Working with Delegated OCSP Responders and EKU Chaining

...