The term Qualified Certificates (QC) is used in Smart ID Certificate Manager (CM) to describe a certificate with a certain qualified status within applicable governing laws. The Qualified Certificates Profile is described in detail in rfc 3739, Internet X.509 Public Key Infrastructure: Qualified Certificates Profile (https://tools.ietf.org/html/rfc3739).
QC statements can be used when issuing both smart cards and soft tokens. The certificate procedures used may define QC statements. These statements cannot be overwritten and are visible in the token procedure chooser dialog.
This article gives an example of how to fill in QC statements and also describes how to use QC statements in certificate procedures. This task is done in the Registration Authority (RA) in Certificate Manager.
This task requires that:
- To get access to the various input fields related to the QC statements, the selected token procedure must be prepared with a QC statements input view (for information on how to do this, see the Technical Description).
- The Registration Authority is running.
- The issuing procedure to be used is known.
This is an example on how to fill in Qualified Certificates (QC) statements.
- In the input view used for the selected procedure supports QC statements, add the Qualified Certificate Statements field to the list of visible fields. For information, see Select fields in Registration Authority in Certificate Manager. The Contents field in the upper part of the RA user interface in Certificate Manager contains an empty sequence entry field and the lower part is used to specify QC statements for that field.
- Click the browse button in the Qualified Certificate Statements field. The Qualified Certificate Statements dialog box is displayed.
- Select a type of QC statement, for example, PKIX QC Statement Version 1. The corresponding input field, if there is one, is displayed.
- Select the Semantic Oid in the drop down list.
- Click the browse button in the Name RAs field. The Name Registration Authorities dialog box is displayed.
- Select which type of name registration authority you want to specify, for example, the Rfc822 Name. The corresponding input field is displayed and you can enter the data.
- Click Add to move the data to the Contents field.
- If necessary, repeat the action and enter additional data.
- Click OK to return to the previous dialog box when the Contents field contains the final data.
- Click Add to move the specified type information to the current Contents field.
- If necessary, repeat the action and enter additional data.
- To rearrange the order of the items, select an item in the Contents field and click the appropriate move buttons.
- Click OK to complete the Qualified Certificate Statements dialog box and to move the data into the Qualified Certificate Statements field in the Smart Card tab of the RA user interface in Certificate Manager.
The administration officer that configures the certificate procedure to use, may specify that all certificates issued with a certificate procedure should contain a set of QC statements.
As demonstrated above, it is also possible to add QC statements in the certificate request in RA. If both of these specify QC statements, the resulting certificate will contain both of these QC statements.
An administration officer may specify a QC statement claiming compliance with the EU legislation (
etsi-qc-1), while the registration officer specifies a QC statement claiming QC type
id-etsi-qct-eseal. The issued certificate will have both of these QC statements.
Refer to the specifications and requirements of the type of certificate that should be created, in order to ensure that all required QC statements are supplied. It is also possible to pre-configure a certificate format to require a set of QC statements that must be included in issued certificates, see the Technical Description for further details.
One of the use-cases for QC statements is issuing certificates to be used by payment service providers in order to meet the requirements of the PSD2 Regulatory Technical Standards, as specified in ETSI TS 119 495. In particular, the following information must be included in such certificates:
- PSD2 QC statement (
id-etsi-psd2-qcStatement), which in turn should include:
- Roles of PSP (Payment Service Provider)
- NCA Name (NSA = National Competent Authority)
- NCA Identifier
- Authorization Number
The PSD2 QC statement can either be fully configured in the certificate procedure, or in the certificate request from the Registration Authority (RA).
If fully specified in both (which may be an incorrect way of issuing such certificates), with different information in each, then similar to how other QC statements are handled, the resulting certificate will have two such QC statements. This may not be desired, so ensure that it is clear whether this statement should be fully configured in the certificate procedure or in the certificate request from the RA.
However, for PSD2 QC statements, a common use-case is that the NCA name and identifier should likely be identical for all certificates issued per certificate procedure, while the list of PSP roles may be different per issued certificate. For this particular case, another option is available in addition to fully specifying it in either the certificate procedure or in the certificate request.
To configure a combination of the NCA details and the PSP roles, do the following:
- Add a PSD2 QC statement in the certificate procedure, but specify only the NCA details, and not the PSP roles.
- Add a PSD2 QC statement in the certificate request from Registration Authority, but specify only the PSP roles, and not the NCA details.
The resulting certificate will then contain only one PSD2 QC statement, with the combined information of the NCA and the PSP roles. This combination is done by examining whether the NCA details are identical or empty in each place.
The Authorization Number, which is required in these certificates, must be part of the Organization Identifier in the Subject Distinguished Name, as supplied in the certificate request from the RA. The Organization Identifier must also be formatted as specified by ETSI TS 119 495 chapter 5.2.1 , and its parts of the NCA identifier must match the corresponding parts of the PSD2 QC statement in the issued certificate.
- Create certificate procedure in Certificate Manager
- Create token procedure in Certificate Manager
- Smart ID Certificate Manager
- Registration Authority (RA) in Certificate Manager
- RA user interface in Certificate Manager
- Select fields in Registration Authority in Certificate Manager
- ETSI TS 119 495