README
¶
eIDAS
Tools for reading and creating eIDAS certificate signing requests
Generating a Certificate Signing Request (CSR)
With Docker:
docker run -v $(pwd):/work --network none creditkudos/eidas \
-country-code GB \
-organization-name "Your Organization Limited" \
-organization-id PSDGB-FCA-123456 \
-common-name 0123456789abcdef
With go (requires go 1.11 or higher):
go get github.com/creditkudos/eidas/cmd/cli
go run github.com/creditkudos/eidas/cmd/cli \
-country-code GB \
-organization-name "Your Organization Limited" \
-organization-id PSDGB-FCA-123456 \
-common-name 0123456789abcdef
Open Banking Flags
-common-nameshould be the same as theorganisation_idfield from your entry in the Open Banking Directory.-organization-idshould be in the form ofPSD<Regulator Country Code>-<Regulator>-<Unique ID>-organization-nameshould be your official company name.-country-codeshould be an ISO 3166-1 alpha-2 country code.
Other flags
You can see the available flags with
go run github.com/creditkudos/eidas/cmd/cli -help
By default this will generate two files: out.csr and out.key containing the CSR and the private key, respectively.
It will also print the SHA256 sum of the CSR to stdout.
To print out the details of the CSR for debugging, run:
openssl req -in out.csr -text -noout -nameopt multiline
Notes on CSR format
For both QWAC and QSEAL types the following attributes are required in the CSR:
Subject
- Must contain country code, organisation name and common name.
- Must also contain the organisation ID. Organisation ID (ITU-T X.520 10/2012 Section 6.4.4) isn't supported by most tools by default (including OpenSSL and go) but this can be added to the subject as a custom name with the ASN.1 OID of
2.5.4.97. Should be something likePSDGB-FCA-123456. - It's not specified in the standards (AFAICT) but these should be in a defined order:
- Country Code (C=)
- Organization Name (O=)
- Organization ID (2.5.4.97=)
- Common Name (CN=)
Key Parameters
- Key should be 2048-bit RSA.
- Signature algorithm should be
SHA256WithRSA.
Extensions
Key Usage
- X509v3 Key Usage extension should be marked as
critical.
| QWAC | QSEAL |
|---|---|
| Digital Signature | Digital Signature |
| Non Repudiation |
Extended Key Usage
| QWAC | QSEAL |
|---|---|
| TLS Web Server Authentication | |
| TLS Web Client Authentication |
Note: For QSEAL, a CSR is expected to not have an extended key usage section at all, rather than an empty one.
Subject Key Identifier
- Should be the 160-bit SHA1 sum of the PKCS1 public key.
qcStatements
This is an extension used by eIDAS as documented here ETSI TS 119 495 Annex A. The required parameters included in this are the Competent Authority's name and ID, e.g. "Financial Conduct Authority" and "GB-FCA", and the roles the TPP requires, e.g. "PSP_AI" (Account Information).
Documentation
¶
Overview ¶
Package eidas provides tools for generating eIDAS OBWAC & OBSEAL certificate signing requests.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var QCStatementsExt = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3}
QCStatementsExt represents the qcstatements x509 extension id.
Functions ¶
func GenerateCSR ¶
func GenerateCSR( countryCode string, orgName string, orgID string, commonName string, roles []qcstatements.Role, qcType asn1.ObjectIdentifier, opts ...CertificateOption) ([]byte, *rsa.PrivateKey, error)
GenerateCSR builds a certificate signing request for an organization. qcType should be one of qcstatements.QSEALType or qcstatements.QWACType.
Types ¶
type CertificateOption ¶
type CertificateOption func(*x509.CertificateRequest)
func WithDNSName ¶
func WithDNSName(domain string) CertificateOption
WithDNSName adds the given domain as a Subject Alternate Name to the CSR.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
Package qcstatements contains functions for building and extracting qualified statements for PSD2 qualified certificates.
|
Package qcstatements contains functions for building and extracting qualified statements for PSD2 qualified certificates. |