Q: Can I update an eIDAS QSealC certificate myself?
A: Yes, you can perform eIDAS QSealC certificate update by yourself in our:
by logging in by your organisation owner's email and referring to:
How to use the 'Edit App' function and update your eIDAS certificate
We recommend replacing your existing certificate during nonbusiness hours as the update would take around 5 minutes (downtime). After that API calls will be approved using the new certificate.
Note: make sure you upload your eIDAS QSealC certificate into the proper field under eIDAS Certificate given to PSD2 license holders (marked yellow on the picture below):
Q: Does Nordea currently use Mutual TLS (mTLS) for PSD2 APIs? If yes, is mTLS achieved through QSealC certificate or else?
A: We currently do not support mTLS by QWAC or other means for PSD2 APIs. We use TLS as described in API Market specification for the encryption and support eIDAS QSEALc certificates for the signatures.
API Market (Sandbox Developer Portal)
Q: Do we lose access to connected accounts when certificates are changed? If we connect an account using certificate A and start using certificate B, will we still be able to retrieve data from the accounts connected with certificate A using the new certificate B?
A: The Client Application is connected to one eIDAS certificate at the time (certificate A). Certificate A can be replaced by eIDAS certificate B anytime via our Production Portal without losing access to accounts for customers with active consents and duration to the Client Application. The certificate A is by this action removed and certificate B will be active instead.
Q: Do your APIs support multiple production applications with different certificates for a single Third Party Provider? Our intention is to continue using our existing application with certificate A, while simultaneously creating another application with certificates B to connect accounts with.
A: Yes, our technical setup supports multiple production Applications with different/same certificates for a single Third Party Provider. It is recommended/practiced to keep the number of Client Applications at the necessary low numbers due to editing and maintenance reasons (changes/updates).
Q: While following your instructions:
How to use the 'Edit App' function and update your eIDAS certificate
We encountered this issue:
"eIDAS validation failed as the eIDAS Certificate is malformed, expired or invalid for other reason. Please, check the certificate and try again."
when trying to perform the certificate rotation by uploading the new eIDAS QSealC certificate in Production Portal. We tried several options to upload the cert: base64 encoded, the x5c-value from the jwks-endpoint and the decoded cert without the ----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- lines but something is wrong. Can you tell me what?
A: Make sure to provide an accurate eIDAS Public certificate key issued by the QTSP including the valid roles and for the relevant TPP. Refer to (Role validation in eIDAS certificate section):
What is a Software Statement Assertion (SSA) required for onboarding?
Note: If you still need our assistance, please share your eIDAS Public certificate key in text format for us to analyse your upload.
Q: After seemingly successful certificate upload, we get:
Response
"group_header": {
"message_identification": "212f2bd2c6471234",
"creation_date_time": "2024-01-31T07:22:46.04803484Z",
"http_code": 401
},
"error": {
"request": {
"url": "/personal/v5/authorize"
},
"failures": [
{
"code": "error.signature.invalid",
"description": "Signature is invalid."
What can be the issue?
A: Verify if you precisely followed our instructions:
How to use the 'Edit App' function and update your eIDAS certificate
and pasted the certificate in a proper field - under eIDAS Certificate given to PSD2 license holders (marked yellow on the picture below):
Q: Will an access token not be invalid when we change/update certificate for a customer who is using premium Instant Reporting API?
A: The certificate exchange will not affect any token.
Q: After the certificate update we are getting the following error response:
{"group_header":{"message_identification":"0efc30595c171234","creation_date_time":"2023-10-10T08:04:53.608458603Z","http_code":401},"error":{"request":{"url":"/business/v5/authorize"},"failures":[{"code":"error.certificate.invalid","description":"Certificate has expired or it has been revoked."}]}}
when calling:
POST /business/v5/authorize
What can be the root cause? Our certificate is valid.
A: Try to update the certificate according to:
How to use the 'Edit App' function and update your eIDAS certificate
without -----BEGIN CERTIFICATE----- / -----END CERTIFICATE-----
Q: Can you recommend some place where to buy QSealC certificate?
A: Refer to:
How do I get access to live PSD2 data?
Q: What will be the Application and Organisation names in Production Portal after performing PSD2 onboarding:
Compliance (PSD2) API Products Onboarding
A: The Application and Organisation names are created based on the details of eIDAS certificate - CN (Common Name) field within the certificate details (Details->Subject):
Note: When you've onboarded at least one application already and have access to our Production Portal, you can also create an app and add PSD2 subscriptions directly from Production Portal:
Creating an App and requesting for PSD2 subscription in Production Developer Portal - quick guide
You can easily find your Organisation by logging in to our Production Portal and selecting your Organisation (from the drop down menu) and choosing the App. Refer to:
How to view your organisation, invite additional users and change organisation ownership
Q: Does updating a certificate in Production Portal mean the certificate is rotated for all markets (FI, SE, DK, NO) and for Personal and Business segments?
A: The eIDAS certificate is connected to a given Client ID (application identifier), hence all existing PSD2 API subscriptions that are connected to a given Client ID will remain intact and cover the Nordic countries (FI, SE, DK, NO) for both Personal APIs and Business APIs.
after performing the onboarding by:
Compliance (PSD2) API Products Onboarding
Q: After successful PSD2 onboarding and the first request towards:
POST /personal/v5/authorize
we encounter the following error:
"httpCode": "401",
"httpMessage": "Unauthorized",
"moreInformation": "Invalid client id or secret."
What can be the reason?
A: Make sure that Client ID (API Key) and Client Secret (API Secret) values and formats (with or without hyphens) are exactly the same as in our Production Portal for a given application. Refer to: