...
shall not use punctuation signs, umlauts or cedilla;
in addition to alphanumeric characters, only the following special characters may be used:
Character | Code NBR9611 (hexadecimal) | Character | Code NBR9611 (hexadecimal) |
White space | 20 | + | 2B |
! | 21 | , | 2C |
“ | 22 | - | 2D |
# | 23 | . | 2E |
$ | 24 | / | 2F |
% | 25 | : | 3A |
& | 26 | ; | 3B |
‘ | 27 | = | 3D |
( | 28 | ? | 3F |
) | 29 | @ | 40 |
* | 2A | \ | 5C |
Algorithms
All certificates issued by ICP-Brasil must have the following characteristics:
...
The Client Certificate must be issued through the V10 chain, and must contain the following attributes:
Distinguished Name, as per the sequence bellow (details available in section 9.2):
businessCategory (OID 2.5.4.15): Type of business category, which must contain: "Private Organization" or "Government Entity" or "Business Entity" or "Non-Commercial Entity"
jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3): BR
serialNumber (OID 2.5.4.5): CNPJ
countryName (OID 2.5.4.6): BR
organizationName (OID 2.5.4.10): Company Name
stateOrProvinceName (OID 2.5.4.8): Federation unit of the certificate holder's physical address
localityName (OID 2.5.4.7): City of the holder's physical address
organizationIdentifier (OID 2.5.4.97): Participant Code associated with the CNPJ listed in the Directory Service of Open Finance Brasil. *For certificates issued until August 31: organizationalUnitName (OID 2.5.4.11): Participant Code associated with the CNPJ listed in the Directory Service of Open Finance Brasil*
UID (OID 0.9.2342.19200300.100.1.1): Software Statement ID generated by Open Finance Brasil Directory
commonName (OID 2.5.4.3): FQDN or Wildcard
...
UID (OID 0.9.2342.19200300.100.1.1): Participant Code associated with the CNPJ listed in the Directory Service of Open Finance Brazil
countryName (OID 2.5.4.6): BR
organizationName (OID 2.5.4.10): ICP-Brasil
organizationalUnitName (OID 2.5.4.11): Certificate Authority Name
organizationalUnitName (OID 2.5.4.11): CNPJ of the Registration Authority
organizationalUnitName (OID 2.5.4.11): Type of identification used (in person, videoconference or digital certificate)
commonName (OID 2.5.4.3): Company Name
Certificate Extensions
keyUsage: critical,digitalSignature,nonRepudiation
...
ASPSP may choose the certificate that should be adopted for Open Data endpoints, which, by nature, are publicly accessible.
OFB Phase | group | endpoint | certificate type | mTLS |
NA | OIDC | .well-known/openid-configuration | EV or ICP WEB SSL | |
NA | OIDC | jwks_uri | EV or ICP WEB SSL | |
NA | OIDC | authorization_endpoint | EV | |
NA | OIDC | token_endpoint | ICP WEB SSL | Required |
NA | OIDC | userinfo_endpoint | ICP WEB SSL | Required |
NA | OIDC | pushed_authorization_request_endpoint | ICP WEB SSL | Required |
NA | DCR | registration_endpoint | ICP WEB SSL | Required |
NA | OIDC | revocation_endpoint | ICP WEB SSL | Required |
2 | Consentimentos | /consents/* | ICP WEB SSL | Required |
2 | Resources | /resources/* | ICP WEB SSL | Required |
2 | Dados | /customers/* | ICP WEB SSL | Required |
2 | Cartão | /credit-cards-accounts/* | ICP WEB SSL | Required |
2 | Contas | /accounts/* | ICP WEB SSL | Required |
2 | Empréstimos | /loans/* | ICP WEB SSL | Required |
2 | Financiamentos | /financings/* | ICP WEB SSL | Required |
2 | Adiantamento | /unarranged-accounts-overdraft/* | ICP WEB SSL | Required |
2 | Direitos Creditórios | /invoice-financings/* | ICP WEB SSL | Required |
3 | Pagamentos | /payments/* | ICP WEB SSL | Required |
3 | Webhook | /webhook/* | ICP WEB SSL | Required |
4 | Câmbio | /exchanges/* | ICP WEB SSL | Required |
4 | Investimentos | /credit-fixed-incomes/* | ICP WEB SSL | Required |
9. Open Finance Client Certificate Subject DN Pattern - After January 19, 2023 {#subjectDNtemplates}
...
check the JWKS of your software-id application
check the KID of the certificate you want the Subject DN for, customize the URL and access: https://keystore.directory.openbankingbrasil.org.br/<org-id>/<software-ID>/transport.jwks
search for the certificate’s KID, then search for the Claim: x5dn
...
9.1.1. JWKS with certificate’s information:
Example: https://keystore.directory.openbankingbrasil.org.br/d7384bd0-842f-43c5-be02-9d2b2d5efc2c/bc97b8f0-cae0-4f2f-9978-d93f0e56a833/transport.jwks
9.1.2. Public Key Certificate Example:
...
The table below presents the sequence in Relative Distinguished Name as per item 9.5. In order to check the sequential order of the subjectDN, refer to itens 9.2 and 5.2.2.1
RDN Order | OID | Attribute | ASN.1 - Bit String | Enconding |
1 | 2.5.4.3 | CN | #0C | UTF8 |
2 | 0.9.2342.19200300.100.1.1 | UID | #0C | UTF8 |
3 | 2.5.4.97 | organizationIdentifier | #0C | UTF8 |
4 | 2.5.4.7 | L | #0C | UTF8 |
5 | 2.5.4.8 | ST | #0C | UTF8 |
6 | 2.5.4.10 | O | #0C | UTF8 |
7 | 2.5.4.6 | C | #13 | PrintableString |
8 | 2.5.4.5 | serialNumber | #13 | PrintableString |
9 | 1.3.6.1.4.1.311.60.2.1.3 | jurisdictionCountryName | #13 | PrintableString |
10 | 2.5.4.15 | businessCategory | #0C | UTF8 |