Certificates

How important is certification to the Open ecosystem?

The Open Finance Brazil ecosystem uses certificate chains and TLS protocol to guarantee the confidentiality, authentication and integrity of the communication channel used by the APIs of the participating institutions, as well as the clients of each participant. In addition, the certificate is required to:

  • Authenticate applications via OAuth 2.0 mTLS or privatekeyjwt;

  • Perform payload signing by using JWS;

  • Authenticate and present a secure channel to the end user when using the services provided by the participating entity.

Which certificates should I get per environment?

To make an MTLs connection, you need 3 certificates. They are:

  • Production

    • Server Certificate (EV, OV and SAN)

    • Client Certificate (BrCAC - Transport)

    • Signature Certificate (BrSEAL)

  • Sandbox

    • Server Certificate (EV, OV and SAN)

    • Client Certificate (BrCAC - Transport)

    • Signature Certificate (BrSEAL)

In the Sandbox environment, BrCAC and BrSEAL certificates are manually generated by Sensedia and signed in the Central Directory.

How to acquire BrCAC and BrSEAL certificates?

The certificates must be issued by a Certification Authority approved by ICP-Brasil. Here are some of those that can be contacted:

ACs Sales Channel

CERTISIGN

comercial@certisign.com.br

SERASA EXPERIAN

https://serasa.certificadodigital.com.br/ecommerce-corporativo/icp-brasil/

VALID

https://www.validcertificadora.com.br/

SERPRO

https://www.loja.serpro.gov.br/certificacao/

Each participant should contact the Certification Authority of their choice and request the necessary digital certificates for Open Finance, according to the required Security documents at the Open Finance Brazil Certificate Standard (in Portuguese).

How to register the certificates in the Central Directory?

BrCAC
  1. In the Directory, go to Organisations > Software Statement > Certificates;

  2. On this page, click the New Certificate button and register the certificate.

BrSEAL
  1. In the Directory, go to Organisations > Organisation Certificates;

  2. On this page, click the New Organisation Certificate button and register the certificate.

To register BrCAC, you need to have created a Software Statement for your organization. If you did not do this yet, follow these steps: 1. In the Directory, go to Organisations > Software Statements and click on New Software Statement;
2. On this screen, fill in the form fields as specified on page 76 of the Central Directory Operation Guide (in Portuguese).

How to obtain the public key (KID) from BRSEAL?

When you register the BrSEAL certificate in the Central Directory, the unique key ID (KID) will be returned automatically.

How to issue the certificate to work in Sandbox?

The certificate generated in the Sandbox environment of the Participant Directory is self-signed and necessary for the FAPI certification flow with Open ID. To generate it, follow the steps:

  1. Within the Directory sandbox environment, log into your organization;

  2. In the Software Statement area, select the desired statement. If you do not have a software statement yet, you will need to create one, as explained in the topic above;

  3. Click the button New Certificate > Select Certificate Type, select the option BRCAC and click Continue;

  4. Then, download the file brcac.cnf and brcac.sh;

  5. Edit the brcac.cnf file with identical information as the Directory on the Organization Details page. Here is an example using OpenSSL:
    openssl

  6. Edit the brcac.sh file to reference the path of the brcac.cnf file;

  7. Run the brcac.sh file through the command prompt to generate the CSR and KEY pair;

  8. In the Directory, select the Upload CSR/PEM option and locate the generated brcac.csr and click Continue;

  9. Wait for the file to upload and then click Done;

  10. Go to Certificates > Actions, click the download arrow, and save the <file>.pem to a local folder.

To issue the BrSEAL certificate, download the files brseal.cnf and brseal.sh and follow the same instructions.

How to upload the certificate in the Sensedia Add-on?

  1. Go to Certificates menu, choose the type of certificate, whether BrCAC or BrSEAL, and click Submit Certificate;

  2. Confirm the environment where you wish to submit the certificate;

  3. Enter the KID and upload the .PEM and .key files;

  4. If the environment is correct, confirm the upload.

After the certificate is submitted, a ticket will be automatically created in Zendesk for our team to execute the operation.

How to issue the certificates in the correct chain?

The Open Finance Brazil Certificate Standard (in Portuguese) specifies the chains for each type of certificate, being:

  • Server Certificate: needs to be sent with the intermediate chain, according to item 7.4.2. of the RFC5246.

  • Client Certificate (BrCAC - Transport): must be issued through the V10 chain, and contain the following attributes:

Distinguished Name:
  • businessCategory (OID 2.5.4.15): Type of business category, and must contain one of these options: "Private Organization"; "Government Entity"; "Business Entity" or "Non-Commercial Entity";

  • jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3): BR;

  • serialNumber (OID 2.5.4.5): CNPJ;

  • countryName (OID 2.5.4.6): BR;

  • organizationName (OID 2.5.4.10): Corporate Name;

  • stateOrProvinceName (OID 2.5.4.8): State unit of the physical address of the certificate holder;

  • localityName (OID 2.5.4.7): City of the holder’s physical address;

  • organizationIdentifier (OID 2.5.4.97): Participant code associated to the CNPJ listed in the Open Finance Brazil Directory Service;

    • For certificates issued until August 31, 2022: organizationalUnitName (OID 2.5.4.11): Participant Code associated with the CNPJ listed in the Open Finance Brazil Directory Service;

  • UID (OID 0.9.2342.19200300.100.1.1): Software Statement ID generated by the Open Finance Brazil Directory Service;

  • commonName (OID 2.5.4.3): FQDN or Wildcard.

Certificate Extensions:
  • keyUsage: critical,digitalSignature,keyEncipherment

  • extendedKeyUsage: clientAuth

Subject Alternative Name:

*dNSName: FQDN or Wildcard

  • Signature Certificate (BrSEAL): must be issued through the V10 chain, and contain the following attributes:

Distinguished Name:
  • UID (OID 0.9.2342.19200300.100.1.1): Participant Code associated with the CNPJ listed in the Open Finance Brazil Directory Service;

  • countryName (OID 2.5.4.6): BR;

  • organizationName (OID 2.5.4.10): ICP-Brasil;

  • organizationalUnitName (OID 2.5.4.11): Name of the Certificate Authority;

  • organizationalUnitName (OID 2.5.4.11): CNPJ of the Registration Authority;

  • organizationalUnitName (OID 2.5.4.11): Type of identification used (face-to-face, videoconference or digital certificate);

  • commonName (OID 2.5.4.3): Corporate Name.

Certificate Extensions:
  • keyUsage: critical,digitalSignature,nonRepudiation

Subject Alternative Name:
  • otherName (OID 2.16.76.1.3.2 - ICP-Brasil): Name of the person responsible for the certificate;

  • otherName (OID 2.16.76.1.3.3 - ICP-Brasil): CNPJ of the legal entity that holds the certificate;

  • otherName (OID 2.16.76.1.3.4 - ICP-Brasil): Holder of the legal entity certificate (date of birth, CPF, PIS/PASEP/CI, RG);

  • otherName (OID 2.16.76.1.3.7 - ICP-Brasil): INSS Specific Registration Number (CEI) of the legal entity that holds the certificate.

How to register a certificate on the Sensedia API Platform?

Go to Security > Certificates and follow the steps:

  1. On the certificates screen, click the + icon to enter a new registration;

  2. Fill in the fields:

    • Name

    • Certificate Body

    • Private Key

    • Certificate Chain

After filling the fields, click Save. You will be redirected to the screen where the registered certificates are listed.

Thanks for your feedback!
EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]