Spojeni s důvěrou

Spojenie s dôverou

Connected with trust

D. Trust
Certifikačná Autorita a.s.

Spojeni s důvěrou

Spojení s dôverou

Connected with trust

 
Skip Navigation Links > Products > Qualified certificates > Qualified certificate for PSD2 > Obtain Qualified certificate for PSD2

Obtain Qualified certificate for PSD2


In order to obtain a qualified website authentication certificate for PSD2 (QWAC PSD2), it is necessary to first enter into a contract with První certifikační autorita, a.s. The following is a procedure for issuing QWAC PSD2 certificates for contract clients.

1. Creation of an electronic application

Qualified website authentication certificate for PSD2 - contains verifiable information about the owner / organization, domain name and further verifiable information - items O, OU, L, St, C, ID, TO…)

2. Transmission of the electronic application

The applicant shall send the application file in PKCS # 10 (.req) format by e-mail to ssl@ica.cz. 

  • The subject must state: "Application for QWAC certificate". 
  • The body of the email must include: 
  • either there is no CAA record, 
  • or a set of CAA records is found and at the same time is included declaration:
    • "I, below, hereby declare that all the information provided in the QWAC certificate request is true", 
    • Payment service provider information, ie National Competent Authority (NCA),
    • license number, list of PSD2 roles that the client requests to insert into the appropriate QWAC PSD2 certificate. 
  • The e-mail message must be provided with a qualified electronic signature according to EU Regulation No. 910/2014 - eIDAS 

The applicant shall also include in the e-mail the contact details - telephone, e-mail, postal address of the subject. 

The applicant acknowledges that the process of verification and issuance of the certificate may take min. 3 working days. 

3. Verification of certificate request

Verification of domain ownership

I.CA verifies DNS domain ownership in one of the following ways:

  • sends an e-mail requesting approval of the issue of an SSL certificate for DNS names contained in the submitted application to the e-mail address specified by the WHOIS domain contact containing the random string; (# number) indicates the subchapter number describing the BR authentication method.
  • I.CA sends to one of the emails admin, administrator, webmaster, hostmaster or postmaster @ domain a message requesting approval of the issue of SSL certificate for DNS names contained in the submitted application and containing a random string; the contact person sends the approval request containing this string back to I.CA (# 4),
  • The domain administrator creates a /.well-known/pki-validation/ directory on the server for the required FQDN, creating the ica.html file and containing the random string provided by I.CA (# 6).
  • the domain administrator creates a new CNAME or TXT DNS record for the requested FQDN, containing a random string specified by I.CA (# 7).

The validity of random strings is 30 days in all cases.

    Checking of CAA records 

    I.CA shall carry out a first check and: 

    • if a set of CAA records has been found, then it will wait for the longer of the values (time of TTL CAA records, 8 hours), 
    • if there is no CAA record, then it waits 8 hours and then performs a recheck. 

    The next steps of verifying the application and issuing the Certificate will only be continued if it is revealed during a re-inspection that: 

    • either there is no CAA record, 
    • or a set of CAA records is found and at the same time:
      • none of the set of CAA records contains an unknown tag and is not marked as critical,
      • and the set of CAA entries with the "issue" tag is empty or the content of any entry in the set of CAA entries with the "issue" tag is "ica.cz".

    Otherwise, the application is rejected. 

    4. Issue of the certificate

    After all the above-mentioned checks of the submitted electronic certificate request have been performed, the QWAC certificate is issued and sent to the applicant electronically via an e-mail message. 

    5. Renewal - issue of a subsequent certificate

    When requesting a certificate renewal, you must always send a new QWAC certificate request. QWAC certificates cannot be electronically renewed; QWAC certificates are always issued only for the first time. Information from the electronic QWAC certificate request must always be re-verified.

    The same documents can be used for verification if they are up to date and not older than 13 months.

    6. Revocation of the certificate

    Revocation of the certificate can be done in the usual way (web + revocation password, email + revocation password, signed email, registered mail + revocation password). 

    Registration authorities


     
    separator
    separator