12.6.2.4.1. Plugin features

The certificate referred to as "client certificate" in this document is the X.509 certificate involved in the SSL/TLS handshake ("mutual TLS"). In PSD2 it is a QWAC (qualified website authentication certificate).

It is not about the signing certificates for HTTP request signature (see 12.6.2.3. HTTP request signature verification for NextGenPSD2).

The plugin "NextGenPSD2 Certificate Authenticator" provides the following features:

  • Check validity period (if check is enabled).
  • Check status of the client certificate (check CRLs and/or OCSPs).
  • Extract "organizationIdentifier" (identifying the TPP) from the client certificate's subject DN: This will be available as "username" attribute for later identity propagation.
  • Extract TPP roles (one or more values of "PSP_AS", "PSP_PI", "PSP_AI", "PSP_IC" - see also mapping-to-roles list in 12.6.2.2. Airlock Gateway (WAF) and IAM configuration for NextGenPSD2) from the client certificate.
  • Load technical clients from IAM's "technical client database":
    • Add technical client if not yet in IAM's "technical client database" ("on-the-fly registration"). The bank may be notified when this happens, by implementing a technical client interceptor ().
    • Check if technical client has been "locked" in the IAM's technical client database. Locked technical clients may not access the bank's APIs.
    • A TPP is uniquely identified by the organizationIdentifier of the certificate's subject DN. Multiple TPP certificates with different subject DNs but belonging to the same TPP may co-exist in the IAM database.
    • Note that there is a REST API in the IAM Adminapp that allows administrators to manage the registered technical clients. See 12.6.4. Technical client in IAM and tech-clients REST API for details.

Scope of Certificate Verification

At least the following certificate verification tasks must be done in Airlock Gateway (WAF) (make sure Airlock Gateway (WAF) is configured accordingly):

  • Ensure a client certificate is successfully involved in the SSL/TLS handshake. 
  • Ensure the issuer of the client certificate is trusted.
  • Check OCSP and CRLs (this may also be done in IAM - see below).