As discussed in our FAQ, TrueLayer clients who are regulated in their own right for the provision of account information services and payment initiation services in Europe, need to obtain eIDAS certificates (namely a PSD2 Qualified Web Authentication Certificate (QWAC) and Qualified eSeal Certificate (QSealC)).
Once a client has their eIDAS certificates, TrueLayer will be able to manage the rest of the process of connection using these certificates. To do this, the certificates must be shared with TrueLayer.
Securely send TrueLayer your eIDAS certificates
As a technical service provider, TrueLayer connects to bank APIs on behalf of clients. In order to do this, we need to identify towards the bank with the relevant identification certificates.
This is for Non-UK Open Banking access - we will need your eIDAS certificates to use directly with European banks.
Please send both the public certificate and the private key of your PSD2 eIDAS QWAC and QsealC
How to send eIDAS certificates to TrueLayer
Using a MAC:
- Keep QWAC and QsealC files in separate directories called qwac and qseal
- Inside each of these directories there should be two files (a keypair): a private key generated by you and a public certificate issued by your QTSP. The public certificate is strictly associated with the private key you used to generate the CSR for your QTSP
- Zip these two directories in a file called eidas.zip
- Add TrueLayer’s public key to your GPG key store
gpg --auto-key-locate clear,wkd,local --locate-keys email@example.com
- Encrypt the zip file containing your certificates
gpg --output encrypted.gpg --encrypt --recipient firstname.lastname@example.org eidas.zip
- Send the encrypted file to TrueLayer’s technical contacts via email to email@example.com
How we protect your eIDAS certificates
TrueLayer uses public-key encryption to receive your eIDAS keypairs securely. Public key encryption protects your important files in transit and at rest, preventing anyone other than TrueLayer from reading the contents, even if these files are misplaced or intercepted. When we receive your files, we decrypt them and store the content securely in our database. Access to these assets is strictly controlled and monitored.