Creating X.509 Keys

This page shows you how to create your public and private X.509 keys (or certificates) using Microsoft .NET, OpenSSL, or Java. You need an X.509 public key to create a Financial Data API test application and it doesn't cost you anything.

To use your application in production, the certificate must be signed by a Certificate Authority (CA) like VeriSign or Thawte, for a nominal fee. To get the certificate signed by a Certificate Authority see the instructions on the CA's website. Usually these are provided for many different development environments.

IMPORTANT: Please remember the location of your certificate/key-store files, application alias and the passwords you will be using during this process.

Creating a Self-Signed X.509 Certificate

You may use a self-signed certificate for testing your application.

The Financial Data API Facade supports the following digital signature algorithms: SHA1withRSA, MD5withRSA, or MD2withRSA; it does not support SHA256withRSA.

The following instructions show how to generate a self-signed X.509 certificate in Java, OpenSSL, and .NET. Substitute your own values for the sample values such as "myapp" and "IppSampleStoreName". For more information on a particular technology such as OpenSSL, see that technology's documentation.


To generate a self-signed certificate in Java:

Step 1: From your JDK/jre/bin location, run the JDK KeyTool utility with the following options:

keytool -genkey -alias myapp -validity 1095 -keyalg RSA -keystore keystore.jks

Enter the information at the prompts. Note the alias, keystore password, and key password for later use.

Step 2: To list the content of the keystore, enter the following command:

keytool -list -v -keystore keystore.jks

Step 3: To list the contents of the self-signed certificate, enter the following command:

keytool -list -rfc -keystore keystore.jks

Step 4: Export the generated certificate to a file (in this example, myapp.crt).

keytool -export -rfc -alias myapp -keystore keystore.jks -file myapp.crt

Step 5: To import the keystore into a keystore package, use the following command:

keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 
        -destkeystore myapp-keystore.p12

The Java certificate is valid for one year. Keeping your certificate and keystore in a package allows you to update the certificate when it expires.

You can now submit the .crt file with the self-signed certificate.


To generate a X.509 certificate you need access to an environment that can run openSSL commands.

  • Most Mac and Linux operating systems have openSSL.
  • Windows generally does not have openSSL. You need to download and install it from here:

Please follow these steps to generate a cert file:

Step 1: Open up a terminal or command line application.

Step 2: Copy and paste this command into your terminal, to generate your .crt and .key files:

Linux and Mac:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout testapp1.key -out testapp1.crt 


openssl.exe req -x509 -nodes -days 365 -newkey rsa:1024 -keyout testapp1.key -out testapp1.crt

Step 3: Click enter to run the command.

Step 4: You are prompted to enter in information. Fill out the information. This step accepts fake values.

Step 5: You should now have your X.509 certificate files with the file names testapp1.key and testapp1.crt .

  • testapp1.crt is your public certificate file.
  • testapp1.key is your private certificate file.
  • The files are located in the directory where you ran the openssl command.
  • You can type pwd to figure out the location of the files, or use a search feature of your operating system.

Step 6: Copy and paste this command into your terminal, to package the .crt and .key file into a .pfx file:

Linux and Mac:

openssl pkcs12 -export -in testapp1.crt -inkey testapp1.key -out testapp1.pfx


openssl.exe pkcs12 -export -in testapp1.crt -inkey testapp1.key -out testapp1.pfx

Step 7: Click enter to run the command.

Step 8: You are prompted to enter a password. Create a password and save it for when you use the .pfx file.

Step 9: You should now have your PKCS#12 file with the file name testapp1.pfx .

Microsoft .NET

exe: MakeCert.exe

Location: C:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools

Step 1: Create the .cer and .pvk, you are prompted to create a password:

MakeCert -r -pe -ss IPPSampleStoreName -n "CN=IPPSample" IPPSample.cer 
         -sky exchange -sv IPPSample.pvk

Step 2: Export the certificate to Base64 format.

Note: Be sure to export the certificate to Base64 format before uploading it.

  • Open IPPSample.cer (either start ippsample.cer from command line or double click it from an explorer window).
  • Select Details tab, and click the Copy to File button.
  • In the Export Wizard, select Next, Base-64 encoded X.509(.CER), Next, Enter a file name, Finish.

Step 3: Combine both files into the .pfx file which is easily used by the .Net framework. Password is "facade" for this example:

pvk2pfx -pvk IPPSample.pvk -pi facade -spc IPPSample.cer 
        -pfx IPPSample.pfx -f

Certificates in .PEM Format

If you choose to upload a .PEM file, the certificate must be Base-64 encoded with 1024-bit RSA key. The following example shows an X.509 certificate that is Base-64 encoded:


Convert jks keystore to p12 keystore

If you do have Keytool application and your JKS file, launch the one-line command:

keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] 
        -destkeystore [MY_FILE.p12]
        -deststoretype PKCS12 
        -deststorepass [PASSWORD_PKCS12] 
        -srcstorepass [PASSWORD_JKS]

You need to modify these parameters:

Parameter Description
MY_KEYSTORE.jks Path to the keystore that you want to convert.
MY_FILE.p12 Path to the PKCS#12 file (.p12 or .pfx extension) that is going to be created.
PASSWORD_PKCS12 Password that is requested at the PKCS#12 file opening.
PASSWORD_JKS Password that is requested at the JKS file opening.

Generating a PEM file

Step 1: Execute openssl to generate PEM file containing only private key.

openssl.exe pkcs12 -in [MY_FILE.p12] -nocerts -out [PRIVATE_KEY_FILE.pem]

You need to modify these parameters:

Parameter Description
PRIVATE_KEY_FILE Path to the PEM file that is created in step 2.
PRIVATE_KEY_RSA Path to the PEM file that is going to be created, which has a private key in RSA format.

Supported CA Certificates

TO-DO: VALIDATE THESE. The Finicity Facade supports the following certificates:

AddTrust Class 1, AddTrust External CA Root, AddTrust Qualified, America Online Root, Baltimore CyberTrust Code Signing Root, Baltimore CyberTrust Root, Certplus Class 2 Primary, Certplus Class 3P Primary, Certum, Certum Trusted Network, Chambers of Commerce Root, Comodo AAA Certificate Services, Deutsche Telekom Root, DigiCert, DigiCert Global Root, DigiCert High Assurance EV Root, Entrust Root,, Secure Server, Equifax Secure, Equifax Secure eBusiness, Equifax Secure Global eBusiness, GeoTrust Global, GeoTrust Primary, GeoTrust Universal, Global Chambersign Root, GlobalSign Root, Go Daddy Class 2, Go Daddy Intermediate, GTE CyberTrust Global Root, GTE CyberTrust Root 5, KEYNECTIS ROOT, QuoVadis Root, QuoVadis Root 2, Security Communication EV RootCA1, Security Communication RootCA1, Security Communication RootCA2, Sonera Class1, Sonera Class2, Starfield Class 2, SwissSign Gold, SwissSign Platinum, SwissSign Silver, TC TrustCenter Class 4, TC TrustCenter Universal, Thawte Personal Freemail, Thawte Premium Server, Thawte Primary Root, Thawte Server, Thawte Timestamping, TrustCenter, T-TeleSec GlobalRoot Class 2, T-TeleSec GlobalRoot Class 3, UTN - DATACorp SGC, UTN-USERFirst-Client Authentication and Email, UTN-USERFirst-Hardware, UTN-USERFirst-Object, ValiCert Class 1 Policy, ValiCert Class 2, VeriSign Class 1 Public Primary, VeriSign Class 2 Public Primary, Verisign Class 3 Public Primary, VeriSign Universal Root

Note: To complete your integration, you need to upload your X.509 certificate. If you choose to upload a .PEM file, the certificate must be Base-64 encoded with up to a 2048-bit RSA key.






Have more questions? Submit a request


Powered by Zendesk