What do I need to consider when requesting a QWAC PSD2 certificate from a QTSP?

As described in detail in the VOP API specifications and the API Security Framework , every VOP Participant needs to use its own Qualified Web Authentication Certificate (QWAC) PSD2 certificate for authentication and identification in the VOP scheme. 
These certificates are issued by Qualified Trust Service Providers (QTSP) who operate under the electronic Identification, Authentication and Trust Services (eIDAS) regulation. You can find the list of all QTSP offering QWAC certificates via the EIDAS dashboard. On this dashboard, you can select providers offering QWAC certificates.

For information: via this dashboard you can also find the API documentation regarding the APIs that enable to download the trusted list of certification authorities into your application.

When a PSP requests a certificate from a QTSP, they PSP will need to fill out a form and will provide additional proof that enables the QTSP to identify, verify and authenticate the requester. 
This Q&A will not provide details of this process which can be obtained from the QTSPs; it only looks into the relevant information requirements for VOP.

Required information
The following information is required to be included in the QWAC PSD2 certificate; the fields will be explained in more detail below:

• General information in the Subject:
  • Country code (field “C”)
  • Legal organization name (field “O”)
  • Common Name (field “CN”): this typically contains the domain name; the filed is currently only informative
  • Subject Alternative Name (field “subjectAltName”): this is the official field to list domain names.
• The certificate must meet the profile for PSD2 QWAC certificates defined in the ETSI* TS 119 495 standard. The specific PSD2 information is described in sections 5.1 and 5.2 of this standard and includes two data elements:
  • PSD2 Role: the certificate must include specific PSD2 roles (e.g., AISP, PISP, ASPSP) as defined by the European Banking Authority (EBA).
  • Authorization Number or other recognized identifier for Open Banking; also referred to as NAN (National Authorisation Number) in the VOP API specifications.

Descriptions and clarifications regarding the different fields
The following paragraphs provide more details on the different fields of the certificate:

• Domain name in the Common Name and subjectAltName: a QWAC certificate can be used for client and server authentication and QTSP will  typically request to provide a domain to be included in the certificate. In the case of VOP, the QWAC PSD2 certificate is used for client authentication and identification and the VOP API specifications or the API Security Framework don’t impose any validation nor any usage of the domain. Therefore, the value of the domain included in the certificate is not relevant from a functional point of view and the field is not mandatory for the VOP scheme. For this reason the EPC does not make any recommendation on the Domain name field.
• The NAN in a QWAC PSD2 certificate has the following structure:  
  • "PSD" as 3 character legal person identity type reference
  • 2 character ISO 3166-1 country code representing the Competent Authority country
  • "-"
  • 2-8 character Competent Authority identifier without country code (A-Z uppercase only, no separator)
  • "-"
  • Identifier (= PSD2 Authorisation Number): this is the authorization number as specified by the National Competent Authority (NCA). The source of this identifier depends on the country of the requester and is described in this list: https://www.eba.europa.eu/sites/default/files/Identification%20numbers%20used%20in%20the%20EBA%20registers_0.pdf.
    Example: PSDBE-NBB-0123456789
    The VOP Participant is required to enter its NAN in the EDS. The Responding VOP Participant will identify and authorise a Requesting VOP Participant by comparing the NAN retrieved form the QWAC certificate used to secure a VOP Request with the NAN of the Requesting PSP in the EDS. The VOP scheme does not require the Responding VOP Participant to verify the actual information inside of the NAN.
• Role(s):
  • The role field is not verified in VOP; any of the existing role(s) can be included. It can also include the value “unspecified” (as defined in the ETSI standard mentioned above).
  • A specific Q&A provides more details on how to use the role field when sharing a certificate with an RVM: https://www.europeanpaymentscouncil.eu/faq/verification-payee-scheme/api-specifications/what-are-best-practices-mitigate-security-risk

* ETSI = European Telecommunications Standards Institute; this is a globally recognized organization that develops technical standards for (ICT), including fixed, mobile, radio, converged, broadcast, and internet technologies. 
Website: https://www.etsi.org/
ETSI standards can be found via this portal: https://www.etsi.org/standards#Pre-defined%20Collections)