Share This
  1. Frequently asked questions
  2. Verification Of Payee scheme
  3. API Specifications

Major browsers will no longer accept public TLS certificates with client authentication option. What is the impact of for the use of QWAC PSD2 certificates for the authentication of the VOP Requesting PSP?

EPC FAQ:  —  Last updated: 14/10/2025

The security model of the EPC VOP API is built on mutual authentication using a Qualified Web Authentication Certificate (QWAC) issued for use in the PSD2 Open Banking  on client side (VoP Requesting PSP) and EV TLS certificates on server side (VOP Responding PSP or RVM). Please refer to the EPC API Security Framework (ASF) for details here.

The specifications of the QWAC PSD2 certificate are defined in the ETSI Technical Standard (TS) 119 495 1.7.1 here.

This document specifies (section 5.3, Note 3) that a QWAC PSD2 can be issued to support both server and client-side authentication; this is indicated in the certificate’s Extended Key Usage (EKU): extKeyUsage including id‐kp‐serverAuth and id‐kp‐clientAuth.

Therefore, any QWAC PSD2 certificate to be used by a PSP to for client authentication in VOP must include the Client Authentication EKU.

Google's update to its Root Program Policy mandates that by June 15, 2026, public TLS server certificates can no longer include the Client Authentication EKU. As a consequence, large international CA (Globalsign, Digicert, SSL.com) have recently announced they will gradually stop issuing public TLS certificates with the client authentication option, including QWAC certificates. 

Will this affect the authentication principles defined for VOP?

It is worthwhile to note that the ETSI TS builds on the guidelines and requirements defined by the Certification Authority Browser Forum (CA/B Forum). The CA Browser Forum Baseline Requirements still allow the Client Authentication EKU. 

VOP APIs don’t require browser support and the QWAC PSD2 certificates are in general not intended to be used by browsers. Changing the principles of these certificates would not only impact VOP, but also but existing PSD2 services.

In conclusion: the authentication principles defined for the VOP API remain applicable and when requesting a QWAC PSD2, PSPs will need to ensure their QTSP still supports issuing QWAC PSD2 certificates that include the value id-kp-clientAuth, in the EKU extension.

An overview of QTSP can be found on the EIDAS Dashboard.