samlarsen1
commented
3 years ago Thanks Ralph
Closed samlarsen1 closed 2 years ago
samlarsen1
commented
3 years ago Thanks Ralph
RalphBragg
commented
3 years ago Sam - apologies. There is a more nuanced answer for Production when using ICP certificates. The Brazil Profile includes the Open Banking Organisation ID and the CNPJ in the Distinguished name and so I can not confirm what validation ICP Brazil will perform on SAN entries to confirm if they belong to the same CNPJ entity that is requesting the CSR. This check should be being performed on public EV certs.
For Sandbox, technically there is nothing stopping you do this, indeed many banks in the UK do this anyway especially when their authorization server is shared across multiple organisations. The SAN list for Sandbox issued certs is not validated (we have no way of doing so) however for Production with ICP certificates this MAY be validated and thus you might not be able to get a certificate from the ICP Brazil.
You're not required to upload your Authorization Server or Resource Server certificates to the directory that you get from ICP Brazil so you might be OK but i can not confirm 100%. If ICP performs extended DNS SAN validation on your CSR request then it is very likely that they may not let you use one cert.
No issues though for sandbox.
samlarsen1
commented
3 years ago Thanks @RalphBragg, the docs are not clear for section 5.2.1 here: https://openbanking-brasil.github.io/specs-seguranca/open-banking-brasil-certificate-standards-1_ID1.html#section-5.2.1
The description does not include any organisation parameters as we do see with the client certificate definitions or the signing certificate definitions.
Please clarify if there is this requirement for server transport certificates - if so, we need to update the documentation.
5.2.1. Server Certificate The Server Certificate must be issued to protect and authenticate the TLS channel used by the APIs that will be consumed by client applications of entities participating in Open Banking.
The certificate standard used must follow the existing certificate issuing practices of "CERTIFICATE FOR WEB SERVER - ICP-Brasil".
RalphBragg
commented
3 years ago The server certificates for production are meant to be standard ICP Brazil Web Server Certificates. The latest communications from the Security Team is that ICP 'Software / Transport' certificates will support client and server auth extended attributes so you could theoretically ask for a server certificate, linked to a software statement and use that.
Personally i wouldn't, i would just by a standard Certificate for Web Server certificates with whatever SAN you need in them and be done with it. there is due to be an update published to the profiles that shouldn't be breaking for TPPs by the Security WG shortly so perhaps asking for clarification here would be a perfect opportunity.
@DeiGratia33 @alex-siqueira
DeiGratia33
commented
3 years ago The certificates defined as ICP-Brasil TLS Web Server are used for URLs/Resources protected by MTLS and does not require any attributes specific for OpenBanking, that's the reason the documentation is not specifying a different or custom set of attributes. They are based on current practices of the ICP-Brasil, that are aligned with OV type.
For URLs, not protected by MTLS, where a end user will need to access, it is required by standard and regulation to use EV Type, and not below the ICP-Brasil chain, to better interoperability with browsers.
So, if you want to issue certificates with multiple domains, for front end, you are under the rules of a CA following the EV practice, and they will decide and validate if the domains included are or are not ok.
We are considering sharing TLS server certificates for our parent organisation which contains three brands, but we would also like to use the same certificate across 4 more brands that exist inside their own organisation. Can you confirm if we can share certificates like this?
e.g.