Certificates

How important is certification to the Open ecosystem?

The Open Insurance Brazil ecosystem uses certificate chains and TLS protocol to guarantee the confidentiality, authentication and integrity of the communication channel used by the APIs of the participating institutions, as well as the clients of each participant. In addition, the certificate is required to:

  • Authenticate applications via OAuth 2.0 mTLS or privatekeyjwt;

  • Perform payload signing by using JWS;

  • Authenticate and present a secure channel to the end user when using the services provided by the participating entity.

Which certificates should I get per environment?

To make an mTLS connection, you need 3 certificates. They are:

  • Production

    • Server Certificate (EV, OV and SAN)

    • Client Certificate (BrCAC - Transport)

    • Signature Certificate (BrSEAL)

  • Sandbox

    • Server Certificate (EV, OV and SAN)

    • Client Certificate (BrCAC - Transport)

    • Signature Certificate (BrSEAL)

How to acquire BrCAC and BrSEAL certificates?

The certificates must be issued by a Certification Authority approved by ICP-Brasil. Here are some of those that can be contacted:

ACs Sales Channel

CERTISIGN

comercial@certisign.com.br

SERASA EXPERIAN

https://serasa.certificadodigital.com.br/ecommerce-corporativo/icp-brasil/

SERPRO

https://www.loja.serpro.gov.br/certificacao/

SOLUTI

https://idtech.soluti.com.br/open-insurance

VALID

https://www.validcertificadora.com.br/
Each participant should contact the Certification Authority of their choice and request the necessary digital certificates for Open Insurance, according to the required Security documents at the Open Insurance Brazil Certificate Standard (in Portuguese).

How to create a Software Statement?

In order to register BrCAC and BrSEAL certificates, you must have created a Software Statement for your organization. To do this, follow the steps:
1. In the Directory, access your organization;
2. Go to Declarações de Software and click on Declarações de novo software;
3. On this screen, fill in the form fields as specified on page 3 of Software Statement Creation Guide (in Portuguese).

The Participant Directory platform is in Portuguese, so all the fields are described in the same language.

How to register the BrCAC certificate in the Participant Directory?

The certificates have the option to register for Sandbox and Production environments. Choose which one you wish to register and follow the steps:

Sandbox
1. In the Directory, go to the menu Organização;
2. Go to Declarações de Software and select the statement you want;
3. Go to Certificados > Novo Certificado;
novo certificado
4. Select the BRCAC_2022 option and click Continuar;
5. In the next step, select Geração automática de configuração;
6. Finish filling in the fields and download the files brcac.cnf and brcac.sh. Check the definition of the attributes in section 5.2.2.1 of the Developer Portal (in Portuguese);
7. Edit the brcac.cnf file with information identical to the Directory information on the Organization Details page. Here is an example using OpenSSL:
openssl
8. Edit the brcac.sh file so that it references the path of the brcac.cnf file;
9. Run the brcac.sh file through the command prompt to generate the CSR and KEY pair;
10. In the Directory, select the Carregar CSR/PEM option, locate the generated brcac.csr and click Continuar;
11. Wait for the file to load and click Feito.

The certificate generated in the Sandbox environment of the Participant Directory is self-signed and required for the FAPI certification flow with Open ID.

Production
1. In the Directory, go to the Organização menu;
2. Go to Declarações de Software and select the desired declaration;
3. Go to Certificados > Novo Certificado;
4. Select the EXTERNAL BRCAC option and click Continuar;
5. In the Gerar CSR option, click Continuar. The EXTERNAL BRCAC is issued by the certification authority, so there is no certificate generation process.
6. Select the Carregar CSR/PEM option and locate the CSR or PEM file issued by the certificate authority;
7. Click Continuar;
8. Wait for the file to load and click Feito.

How to register the BrSEAL certificate in the Participant Directory?

Sandbox
1. In the Directory, go to the menu Organização;
2. Go to Certificados de Organização > Novo Certificado;
brseal novo 3. Go to Certificados > Novo Certificado;
image:new-certificate.png
4. In the window that opens, select BRSEAL in the Select Certificate Type field;
5. In the next step, select Geração automática de configuração;
6. Finish filling in the fields and download the files brseal.cnf and brseal.sh. Check the definition of the attributes in section 5.2.3.1 of the Developer Portal (in Portuguese);
7. Edit the brcac.cnf file with information identical to the Directory information on the Organization Details page. Here is an example using OpenSSL:
image:openssl.png
8. Edit the brcac.sh file so that it references the path of the brcac.cnf file;
9. Run the brcac.sh file through the command prompt to generate the CSR and KEY pair;
10. In the Directory, select the Carregar CSR/PEM option, locate the generated brcac.csr and click Continuar;
11. Wait for the file to load and click Feito.

The certificate generated in the Sandbox environment of the Participant Directory is self-signed and required for the FAPI certification flow with Open ID.

Production
1. In the Directory, go to the Organização menu;
2. Go to Certificados de Organização > Novo Certificado;
3. Select the EXTERNAL BRCAC option and click Continuar;
4. In the Gerar CSR option, click Continuar. The BRSEAL EXTERNAL is issued by the certification authority, so there is no certificate generation process.
5. Select the Carregar CSR/PEM option and locate the CSR or PEM file issued by the certificate authority;
6. Click Continuar;
7. Wait for the file to load and click Feito.

How to obtain the public key (KID) from BRSEAL?

When you register the BrSEAL certificate in the Participant Directory, the unique key ID (KID) will be returned automatically.

How to upload the certificate in the Sensedia Add-on?

  1. Go to Certificates menu, choose the type of certificate, whether BrCAC or BrSEAL, and click Submit Certificate;

  2. Confirm the environment where you wish to submit the certificate;

  3. Enter the KID and upload the .key and .PEM files;

  4. If the environment is correct, confirm the upload. After the certificate is submitted, a ticket will be automatically created in Zendesk for our team to execute the operation.

How to issue the certificates in the correct chain?

The Open Insurance Brazil Certificate Standard (in Portuguese) specifies the chains for each type of certificate, being:

  • Server Certificate: needs to be sent with the intermediate chain, according to item 7.4.2. of the RFC5246.

  • Client Certificate (BrCAC - Transport): needs to be sent with the intermediate chain, according to item 7.4.2. and 7.4.6 of the RFC5246 and must be issued through the V10 chain, containing the following attributes:

Distinguished Name:

  • businessCategory (OID 2.5.4.15): Type of business category, and must contain one of these options: "Private Organization"; "Government Entity"; "Business Entity" or "Non-Commercial Entity";

  • jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3): BR;

  • serialNumber (OID 2.5.4.5): CNPJ;

  • countryName (OID 2.5.4.6): BR;

  • organizationName (OID 2.5.4.10): Corporate Name;

  • stateOrProvinceName (OID 2.5.4.8): State unit of the physical address of the certificate holder;

  • localityName (OID 2.5.4.7): City of the holder’s physical address;

  • organizationIdentifier (OID 2.5.4.97): Participant code associated to the CNPJ listed in the Open Insurance Brazil Directory Service;

    • For certificates issued until August 31, 2022: organizationalUnitName (OID 2.5.4.11): Participant Code associated with the CNPJ listed in the Open Insurance Brazil Directory Service;

  • UID (OID 0.9.2342.19200300.100.1.1): Software Statement ID generated by the Open Insurance Brazil Directory Service;

  • commonName (OID 2.5.4.3): FQDN or Wildcard.

Certificate Extensions:

  • keyUsage: critical,digitalSignature,keyEncipherment

  • extendedKeyUsage: clientAuth

Subject Alternative Name:

*dNSName: FQDN or Wildcard

  • Signature Certificate (BrSEAL): must be issued through the V5 chain, and contain the following attributes:

Distinguished Name:

  • UID (OID 0.9.2342.19200300.100.1.1): Participant Code associated with the CNPJ listed in the Open Insurance Brazil Directory Service;

  • countryName (OID 2.5.4.6): BR;

  • organizationName (OID 2.5.4.10): ICP-Brasil;

  • organizationalUnitName (OID 2.5.4.11): Name of the Certificate Authority;

  • organizationalUnitName (OID 2.5.4.11): CNPJ of the Registration Authority;

  • organizationalUnitName (OID 2.5.4.11): Type of identification used (face-to-face, videoconference or digital certificate);

  • commonName (OID 2.5.4.3): Corporate Name.

Certificate Extensions:

  • keyUsage: critical,digitalSignature,nonRepudiation

Subject Alternative Name:

  • otherName (OID 2.16.76.1.3.2 - ICP-Brasil): Name of the person responsible for the certificate;

  • otherName (OID 2.16.76.1.3.3 - ICP-Brasil): CNPJ of the legal entity that holds the certificate;

  • otherName (OID 2.16.76.1.3.4 - ICP-Brasil): Holder of the legal entity certificate (date of birth, CPF, PIS/PASEP/CI, RG);

  • otherName (OID 2.16.76.1.3.7 - ICP-Brasil): INSS Specific Registration Number (CEI) of the legal entity that holds the certificate.

How to register a certificate on the Sensedia API Platform?

Go to Security > Certificates and follow the steps:

  1. On the certificates screen, click the + icon to enter a new registration;

  2. Fill in the fields:

    • Name

    • Certificate Body

    • Private Key

    • Certificate Chain

If you need to, see the specification of the fields in this content (in Portuguese).

3.After filling the fields, click Save. You will be redirected to the screen where the registered certificates are listed.

Thanks for your feedback!
EDIT
How useful was this article to you?