# TPP certificates source: https://developer.mastercard.com/ob-accept-payments/documentation/developer-support/production/tpp-certificates/index.md Note: This page is only relevant to TPPs who wish to use our services while operating under their own license. Clients who want to operate using the Mastercard Open Finance Pay license can disregard this information. PSD2 APIs require Third Party Providers (TPPs) to use qualified eIDAS certificates. These certificates are used by the PSD2 APIs to verify the identity of the TPP, both as traditional client side certificates for mutual TLS, and for electronically signing data. These certificates are used both for TPPs acting as Account Information Service Providers (AISPs) and TPPs acting as Payment Initiation Service Providers (PISPs). Each TPP needs to acquire two certificates: 1. QWAC (Qualified Website Authentication Certificate) - For performing mutual TLS. 2. QSealC (Qualified electronic Seal Certificate) - For signing data. Clients of Mastercard Open Finance Pay are TPPs. To access PDS2 APIs on behalf of the TPPs, Mastercard Open Finance Pay needs to have access to the TPPs' certificates. ## Acquiring {#acquiring} There are several Qualified Trust Service Providers (QTSPs) that issue TPP certificates. Every TPP needs to acquire both certificates, as PSD2 APIs require both. Each certificate can handle both Account Information Service (AIS) and Payment Initiation Service (PIS), but it is important to specify that when ordering the certificates, as the roles are embedded within the certificates (and once the certificates are issued, adding roles requires buying new certificates, which is costly). Be advised that TPP certificates expire. Before expiration, new certificates need to be acquired by you and installed by Aiia Enterprise. We ask customers to share the new TPP certificates no later than 30 days before the expiration date of the old certificates. TPP certificate installation fees apply. The TPP needs to generate keys and submit a Certificate Signing Requests to their selected QTSP. See below for help on generating a Certificate Signing Request (CSR). As QWAC certificates are also valid as TLS certificates for websites, we require that you specify the Common Name (CN) as well as Subject Alternate Name (SAN) to be yourname-com.aiiaclient.com where `yourname-com` is based on your company domain, by replacing the dot with a dash. For example, if your domain is `example.com`, then you should use `example-com.aiiaclient.com`. Please let us know once you have ordered the certificate as the certificate issuer will require us to approve it (write to [openbankingeu_support@mastercard.com](mailto:openbankingeu_support@mastercard.com)). When chosing which email to validate the certificate on, please choose `hostmaster@aiiaclient.com`. #### Generating the Certificate Signing Request {#generating-the-certificate-signing-request} We recommend generating Certificate Signing Requests (CSR) using OpenSSL. You can generate a CSR using the following OpenSSL command: openssl req -new -subj "/C=DK/CN=example-com.aiiaclient.com" \ -addext "subjectAltName = DNS:example-com.aiiaclient.com" \ -newkey rsa:2048 -keyout key.pem -out req.pem -nodes Command argument explanation: req : perform a command regarding CSRs -new : specifies that a new CSR should be made -subj : specifies the subject, C for Country Name, CN for Common Name -addext : adds a CSR extension for DNS as outlined above -newkey : specifies that a new private key with the RSA2048 encryption should be created -keyout : specifies that the generated private key should be saved into the specified file -out : specifies that the CSR should be saved into the specified file -nodes : specifies that the private key should be generated without a pass-phrase We do not require a pass-phrase for the private key. If you prefer to include a pass-phrase, omit the `-nodes` parameter. If needed, we can provide further advice on key generation and issuance of CSRs [Contact Us](https://openbankingeu.mastercard.com/contact-us). **Background** The requirement to set hostname on QWAC certificates is somewhat confusing, as this is a requirement for *TLS server certificates* , whereas QWAC certificates are *TLS client certificates*. (When doing mutual TLS authentication there is no concept of a hostname for the client, only for the server.) This is however a technical requirement for QWAC certificates and thus issuers need to ensure it is followed. Furthermore, some Account Servicing Payment Service Provider (ASPSP) have indicated that they might in the future use the hostname specified in the QWAC for validation, which is why the certificates need to point to valid endpoints that Mastercard Open Finance Pay can control. #### Links {#links} ## Installation {#installation} Once certificates have been acquired, they need to be made accessible to Mastercard Open Finance Pay. TPP certificates consist of a private key and the actual certificate. Mastercard Open Finance Pay handles these two parts separately. The actual certificate, which is public, is stored by Mastercard Open Finance Pay in our key configuration. #### Private Key Storage {#private-key-storage} Mastercard Open Finance Pay stores the private key in its key configuration. The key is stored strongly encrypted and only used when communicating on behalf of the client. This is an efficient and safe approach which does not require any setup on behalf of the client. Furthermore, this ensures high performance of performing cryptographic operations. When managing keys, the keys are asymmetrically encrypted in our key configuration, so that keys are not accessible to any other system than Mastercard Open Finance Pay Core system, which performs communication with banks. **Setup** 1. Coordinate an appropriate secure channel with Mastercard Open Finance Pay technicians and share certificates through this channel. PFX and/or PEM formats are preferred. 2. Mastercard Open Finance Pay technicians install the certificates, including encrypted private keys, into our configuration store. 3. Mastercard Open Finance Pay technicians verify that the certificate works, by initiating sessions towards one or more PSD2 APIs. ## UK Certificates {#uk-certificates} Customers that are registered TPPs for account information services (AIS) and payment initiation services (PIS) in the UK will need to enrol with the Open Finance Directory. To start the process, you need the following: * Access to the [Open Finance Directory](https://directory.openbanking.org.uk/s/login/) * Request permission from Open Finance to access the "Directory" * URL to your Terms and Conditions * URL to your Privacy Policy * URL to your company logo * Your company's website URL * The redirect URI - this will be the same redirect URI registered with Mastercard Open Finance Pay Once you are set up with Open Finance Directory, you need additional instructions to set up registrations with certain ASPSPs: 1. Create an Open Finance Software Statement 2. Register with specific ASPSPs via their developer portals * [Barclays](https://developer.barclays.com/login) * [Santander](https://developer.santander.co.uk/sanuk/external/) 3. Once you completed, please send the following to us: * The Client ID and Secret of ASPSP applications created with Barclays and Santander * Software Statement ID * The redirect URI - this will be the same redirect URI registered with Mastercard Open Finance Pay ## Certificate Renewal {#certificate-renewal} Open Finance certificates are valid for 1-2 years. When the certificates are due for renewal, you will need to perform processes such as domain control validation and authorized representative validation. Your issuing QTSP will notify you some weeks prior to the expiry date with specific instructions on renewal. If the Common Name (CN) changes during renewal, new registrations with some ASPSPs may be necessary. We recommend that TPPs complete the renewal process well ahead of time. ASPSPs have varying processes to onboard the renewed certificates and normally needs to be registered on the developer portal before use. The TPP is responsible for renewing and providing the certificates to Mastercard 45 to 60 days prior to the expiration date.