Two certificates of the TPP are involved in NextGenPSD2:
- ●The signing certificate used to sign HTTP requests
- ●The client certificate used in the SSL/TLS handshake (also called "mutual TLS").
The plugin "HTTP Signature Verification Credential Extractor" provides the following features:
- ●Extract original HTTP request (using Airlock environment cookies).
- ●Check HTTP request signature
- ●Verify the signature itself: the set of headers that must be signed can be defined by the IAM configuration
- ●Verify the signature was created with a signing certificate issued by a trusted issuer
- ●Check CRLs and OCSPs to verify validity of the TPPs signing certificate
- ●Extract the client certificate for later authentication of the TPP
- ●Verify that the signing certificate and the client certificate have been issued for the same TPP.
- ●Every step may fail and result in the bank API request being blocked.