search

hbldh / pybankid

BankID Relying Party client for Python
https://pybankid.readthedocs.io
MIT License
48 stars 19 forks source link

Help with certificate #13

Closed sibe7691 closed 6 years ago

sibe7691 commented 6 years ago

Hi,

Im trying to connect to the production environment of BankID. I have obtained a client certificate from the bank. (===...BEGIN CERTIFICATE...===)

I got this cert in a .txt file. I have no idea how to get the key/certificate in the same format as pybankid generated it when running against their test environment.

Do I need to convert It in someway to get in a format such that pybankid accepts it?

sibe7691 commented 6 years ago

Ill need to request both cert and key from my bank. They’ve only provided the very so far..

hbldh commented 6 years ago

If you look at the key.pem file and the certificate.pem that my certutils.py methodsa provide, they contain a private key (BEGIN PRIVATE KEY) and a certificate (BEGIN CERTIFICATE). Both are needed to be able to authorize yourself against the BankID servers.

In the test env case, you are provided with both the key and the cert, but in production you should have a private key that no one else has access to. I would think (I have actually never requested a BankID cert from BankID selling bank, only used ones already requested by others) that one would create a Certificate Signing Request:

1) Create a private RSA key 2) Create a Certificate Signing Request using created key. 3) Send the .csr file to the BankID selling bank to sign 4) Use the key you have and the returned and signed certificate (potentially also converting it to PEM format) with PyBankID.

Example on how to do this: https://www.ssl.com/how-to/manually-generate-a-certificate-signing-request-csr-using-openssl/

This is however how I envision it to work; ask your bank on their procedure and follow it. Although I would discourage from using a private key that they created...

Please drop me a line describing how this problem was resolved. PyBankID users asking about production cert obtaining have hitherto been very keen on getting help but very poor on sharing solutions :).

sibe7691 commented 6 years ago

You were right,

I had to send a new .csr-file to the bank. I created this .csr-file using their provided java software. For the bank Nordea, the program is called: BankID.jar. The bundle of software for Nordea was (2018-05-25) found at http://wcms.nordea.se/sitemod/upload/root/content/nordea_se/foretag/internet_och_telefon/filer/BankID_Keygen_Nordea_1.3_4096.zip

Hopefully, they will get back to me within a few days with a certificate that I can process with the same software and get BankID up and running.

Thanks for the help.

hbldh commented 6 years ago

Nice tool for simplifying this. Will add some notes about Nordeas specific handling of certificate requests in the documentation as soon as I can. Will leave this open until you get it up and running in PyBankID; i.e. in case further conversions or whatnot is needed when you get your certificate.