Helper scripts to help direct customers create Open Banking certificates
The following repository is not production code but will help you to generate certificates in line with the Open Banking Directory.
NOTE: These instructions are not a replacement for the Open Banking Documentation which should be read here.
Install/Upgrade OpenSSL to the latest version:
Mac
brew install libressl
OR
brew upgrade libressl
Before running the script open up config-files/obseal.cnf
and config-files/obwac.cnf
and make the following changes to both files:
- Update the
countryName
(line 31) with the 2-letter country code for your country - Update the
organizationName
(line 32) to the name of your company - Update the
organizationIdentifier
(line 48) to the identifier issued by your National Competent Authority (NCA) e.g.- For the Financial Conduct Authority (FCA), the format will be
PSDGB-FCA-123456
- For the Polish Financial Supervision Authority (PFSA), the format will be
PSDPL-PFSA-1234567890
- For the Financial Conduct Authority (FCA), the format will be
- Update the
commonName
(line 49) to the your Organisation Id from the Open Banking Directory - Uncomment one of the
qcStatements
lines in each file. You can find out which roles your entity has in the Open Banking Directory in the Competent Authority Claims under PSD2 roles:- If you're an AISP only, uncomment out the line below
# PSP_AI
(line 164 in obseal.cnf and line 175 in obwac.cnf) - If you're an PISP only, uncomment out the line below
# PSP_PI
(line 162 in obseal.cnf and line 173 in obwac.cnf) - If you have both AISP and PISP, uncomment out the line below the comment
# PSP_PI,PSP_AI
(line 174 in obseal.cnf and line 185 in obwac.cnf)
- If you're an AISP only, uncomment out the line below
To run create the keys and certificate signing requests (CSRs) for the OB Seal
and OB WAC
, run execute the following:
./generate_keys.sh [ss-client-id]
- Make sure you apply the software statement
client-id
as the only parameter - You will be prompted initially to create a passphrase for both the
OB Seal
andOB WAC
keys but new keys will be generated from them without a passphrase for your use. - A successful execution of the script will generate 6 files
Next, upload the .csr files for the OB Seal
and OB WAC
:
- Select
OB WAC
and upload theobwac
.csr
file - Select
OB Seal
and upload theobseal
.csr
file
If you have done everything successfully, you should see a green notification in the UI confirming the upload was successful, otherwise, check that you have completed all the steps to set your config and you have selected roles your eligible for in the dashboard.
After uploading the .csr files, make sure to check the tick box to assign both certificates to your software statement. If successful, a green pop up should appear.
You will then need to download the .pem
files for each certificate in the menu options for each certificate type. You can do this by clicking on the
three dots for each cert in the certificates table from the appropriate software statement view within the Open Banking Directory and selecting "Get PEM".
You can then use the rename the files to make them more identifiable using the following convention:
[cert-type].[company-name].SSID.[software-statement-id].KID.[cert-kid].[file-extension]
The end result should be 4 files in the format:
obwac.[company-name].SSID.[software-statement-id].KID.[obwac-cert-kid].key
obwac.[company-name].SSID.[software-statement-id].KID.[obwac-cert-kid].pem
obseal.[company-name].SSID.[software-statement-id].KID.[obseal-cert-kid].key
obseal.[company-name].SSID.[software-statement-id].KID.[obseal-cert-kid].pem
Assuming you have not changed the file names from when you created the .csr files, you should be able to use the rename_files.sh
script to do this for
you:
rename_files.sh \
-company-name [your-company] \
-ssid [software-statement-id] \
-obseal-pem [obseal-pem-file] \
-obseal-key [obseal-key-file] \
-obwac-pem [obwac-pem-file] \
-obwac-key [obwac-key-file]
- Go to the Yapily Dashboard and login
- Go to the Certificates page
- Click the "Add Certificate" button
- Upload your OB Seal pem file for the certificate
- Upload your OB Seal key file for the certificate
- Name the certificate after ether of the file names without the extension
- Save
- Repeat steps 3-7 for the OB WAC files