New issuing CAs for PSD2 certificates from 3 May, 2021


Introduction

Our PSD2 certificates has been issued from CAs which were established almost 10 years ago. PSD2 QWAC certificates are issued from Buypass Class 3 CA 2 and PSD2 QC eSeal are issued from Buypass Class 3 CA 3.

The CA hierarchy for what we call Generation 1 (G1) of Buypass Class 3 CAs is shown below:

Both issuing CAs chains back to Buypass Class 3 Root CA which is a root CA included in many root certificate programs, including OSes like Microsoft and Apple, and browsers like Mozilla, Firefox, Google Chrome etc.

Both issuing CAs are included in EU Trusted List, which is a precondition for PSD2 certificates to be accepted as PSD2 certificates according to current regulations.


New G2 CAs from 3 May, 2021

From 3 May, 2021 we will issue PSD2 certificates from new CAs referred to as Generation 2 (G2). See G2 CA hierarchy below:

In G2 CA hierarchy there are 2 different Root CAs for PSD2 QWAC and PSD2 QC eSeal respectively. None of these Root CAs are included in any specific root certificate programs, but they are included on EU Trusted List and will therefor be accepted as PSD2 certificates.

Issuing CA for PSD2 QWAC is Buypass Class 3 CA G2 QC WA (Qualified Certificates for Website Authentication) and issuing CA for PSD2 QC eSeal is Buypass Class 3 CA G2 ST Business (Soft Token Business).

We are moving from G1 CAs to G2 CAs to be more flexible. In general, PSD2 certificates do not need to be accepted by OSes and browsers as other certificate types do. This will, for example, give us the opportunity to issue PSD2 QWAC certificates with a longer lifetime (2 years) than what is normally allowed for TLS certificates which must comply with current requirements from the CA/Browser forum, browsers etc. (1 year). Requirements to register TLS certificates in CT logs also come from browsers and we have decided not to register these certificates in CT logs.

This reorganization should not have any impact on the use of PSD2 certificates, but should any problems arise with the use of these certificates in the PSD2 infrastructure, you must contact us immediately.

Other changes

With the G2 CAs we also use new addresses for both CRL and OCSP services for these certificates. The services are now available under buypassca.com, not buypass.no and buypass.com as earlier - see table below.

The CA certificates

The G2 CA certificates are available below.

For PSD2 QWAC:

For PSD2 QC eSeal:

Test certificates 

Similarly, we will issue PSD2 certificates for test from G2 CAs from 15 April 2021. G2 CA certificates are available below.

For PSD2 QWAC:

For PSD2 QC eSeal:

More information

For more information about the certificate profiles, see:

For more information about EU Trusted List, see:

Innhold