Unable to upload CSR/Certificates to the Open Banking Directory

Question

I have this error showing when I attempt to upload a Certificate request to the Open Banking Directory as an OB Signing certificate.

When I copy the message, I am given this message;

When I inspect the network requests, it seems to show an Internal Server Error (Response 500) and returns graphql. This is the response:

{"errors":[{"message":"Error: Request failed with status code 400","locations":[{"line":2,"column":3}],"path":["addCertificate"]}],"data":null}

Has this issue occurred with anyone before? I generated the CSR with Open SSL with my credentials with this command:

openssl req -new -newkey rsa:2048 -nodes -out [STATEMENT_CLIENT_ID].csr -keyout [STATEMENT_CLIENT_ID].key -subj "/C=GB/ST=/L=/O=OpenBanking/OU=[ORGANISATION_ID]/CN=[STATEMENT_CLIENT_ID]" -sha256

The tags in braces are redacted. I have also tried docker but to no gain. I'm all ears to any solutions which come my way.

Thank you for your time.

Answer 1

I have the same problem at the moment in production sandbox and the open banking is not showing any relevant errors.

Using OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020 And following this here which pops up over the upload field.

And following this pdf link for documentation which pops up over the upload field.

[ req ] 
default_bits = 2048 
encrypt_key = yes 
default_md = sha256 
utf8 = yes 
string_mask = utf8only 
prompt = no 
distinguished_name = client_dn 
req_extensions = client_reqext 

[ client_dn ] 
countryName = "GB" 
organizationName = "My bank Ltd" 
organizationIdentifier = "OBGBR-GB-Unknown1315H25731lXE8ZIEM" 
commonName = "Unknown1315H25731lXE8ZIEM" 

[ client_reqext ] 
keyUsage = critical,digitalSignature,nonRepudiation 
subjectKeyIdentifier = hash 

qcStatements=DER:3081813013060604008e4601063009060704008e46010603306a06060400819827023060303930110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701030c065053505f41490c1b46696e616e6369616c20436f6e6475637420417574686f726974790c0647422d464341

The differences that i can see is with the definition of organizationIdentifier. In the docs they show how to define it if using tool that does not support it but the current version of OpenSSl does support it. So when printed with:

openssl asn1parse -in obwac.csr -inform PEM

Example in pdf:

66:d=5 hl=2 l= 3 prim: OBJECT :2.5.4.97 
71:d=5 hl=2 l= 34 prim: UTF8STRING :PSDGB-OB-Unknown1315H25731lXE8ZIEM

New version of OpenSSL:

   66:d=5  hl=2 l=   3 prim: OBJECT            :organizationIdentifier
   71:d=5  hl=2 l=  34 prim: UTF8STRING        :OBGBR-GB-Unknown1315H25731lXE8ZIEM

Answer 2

Per BenTaylor's question above, OBWAC and OBSEAL have a hidden gem in their make up in the form of QCStatements that map the roles specified in a Software Statement Assertion to the roles that the resultant certificates from a CSR have specified in their qcStatement OID. Here's an example of a CNF for OBSEAL:

[ req ]
default_bits            = 2048
encrypt_key             = no
default_md              = sha256
default_keyfile         = obseal.key
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = client_dn
req_extensions          = client_reqext

[ client_dn ]
countryName             = "GB"
organizationName        = "Typical O name"

# Subject common name
commonName              = "<Open Banking Directory Org ID>"

[ client_reqext ]
keyUsage                = critical,digitalSignature,nonRepudiation

subjectKeyIdentifier    = hash

qcStatements=DER:30713013060604008e4601063009060704008e46010602305a06060400819827023050303930110607040081982701020c065053505f504930110607040081982701030c065053505f414930110607040081982701040c065053505f49430c0c4f70656e2042616e6b696e670c0547422d4f42

If you paste the above binary code into an ASN1 decoder, you'll see the following structure emerge:

SEQUENCE (2 elem)
  SEQUENCE (2 elem)
    OBJECT IDENTIFIER 0.4.0.1862.1.6
    SEQUENCE (1 elem)
      OBJECT IDENTIFIER 0.4.0.1862.1.6.2
  SEQUENCE (2 elem)
    OBJECT IDENTIFIER 0.4.0.19495.2
    SEQUENCE (3 elem)
      SEQUENCE (3 elem)
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 0.4.0.19495.1.2
          UTF8String PSP_PI
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 0.4.0.19495.1.3
          UTF8String PSP_AI
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 0.4.0.19495.1.4
          UTF8String PSP_IC
      UTF8String Open Banking
      UTF8String GB-OB

The nodes PSP_* map OBWAC/OBSEAL certificates to software statement roles in what appears to be the following manner:

• PSP_PI = PISP
• PSP_AI = AISP
• PSP_IC = CBPII

You can use an ASN1 editor to edit/delete nodes and derive the binary as required for both OBWAC and OBSEAL. Just bang in the binary minus the qcStatement=DER: part and be done with it. You can view the structure of the qcStatement using this web site too.

Another note is that unlike an eIDAS QSeal cert, the maximum key length for an OBSEAL seems to be 2048 bits.

Hopefully someone will find this useful as UK banks start to discard the old Open Banking signing/transport keys and implement eIDAS/OBWAC+SEAL instead. Good luck and let the fun begin. o7

Answer 3

Solved this by generating a CSR on OpenSSL with the corresponding config files. eiDAS formatting is essential.

Commands:

req -new -config "obseal.cnf" -out "Seal.csr" -keyout "SealPrivateKey.key"

req -new -config "obwac.cnf" -out "WAC.csr" -keyout "WACPrivateKey.key"