Creating X.509 Keys

This page shows you how to create your public and private X.509 keys (or certificates) using Microsoft .NET, OpenSSL, or Java. You need an X.509 public key to create a Financial Data API test application and it doesn't cost you anything.

To use your application in production, the certificate must be signed by a Certificate Authority (CA) like VeriSign or Thawte, for a nominal fee. To get the certificate signed by a Certificate Authority see the instructions on the CA's website. Usually these are provided for many different development environments.

IMPORTANT: Please remember the location of your certificate/key-store files, application alias and the passwords you will be using during this process.

Creating a Self-Signed X.509 Certificate

You may use a self-signed certificate for testing your application.

The Financial Data API Facade supports the following digital signature algorithms: SHA1withRSA, MD5withRSA, or MD2withRSA; it does not support SHA256withRSA.

The following instructions show how to generate a self-signed X.509 certificate in Java, OpenSSL, and .NET. Substitute your own values for the sample values such as "myapp" and "IppSampleStoreName". For more information on a particular technology such as OpenSSL, see that technology's documentation.

Java

To generate a self-signed certificate in Java:

Step 1: From your JDK/jre/bin location, run the JDK KeyTool utility with the following options:

keytool -genkey -alias myapp -validity 1095 -keyalg RSA -keystore keystore.jks

Enter the information at the prompts. Note the alias, keystore password, and key password for later use.

Step 2: To list the content of the keystore, enter the following command:

keytool -list -v -keystore keystore.jks

Step 3: To list the contents of the self-signed certificate, enter the following command:

keytool -list -rfc -keystore keystore.jks

Step 4: Export the generated certificate to a file (in this example, myapp.crt).

keytool -export -rfc -alias myapp -keystore keystore.jks -file myapp.crt

Step 5: To import the keystore into a keystore package, use the following command:

keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 
        -destkeystore myapp-keystore.p12

The Java certificate is valid for one year. Keeping your certificate and keystore in a package allows you to update the certificate when it expires.

You can now submit the .crt file with the self-signed certificate.

OpenSSL

To generate a X.509 certificate you need access to an environment that can run openSSL commands.

  • Most Mac and Linux operating systems have openSSL.
  • Windows generally does not have openSSL. You need to download and install it from here: http://slproweb.com/products/Win32OpenSSL.html.

Please follow these steps to generate a cert file:

Step 1: Open up a terminal or command line application.

Step 2: Copy and paste this command into your terminal, to generate your .crt and .key files:

Linux and Mac:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout testapp1.key -out testapp1.crt 

Windows:

openssl.exe req -x509 -nodes -days 365 -newkey rsa:1024 -keyout testapp1.key -out testapp1.crt

Step 3: Click enter to run the command.

Step 4: You are prompted to enter in information. Fill out the information. This step accepts fake values.

Step 5: You should now have your X.509 certificate files with the file names testapp1.key and testapp1.crt .

  • testapp1.crt is your public certificate file.
  • testapp1.key is your private certificate file.
  • The files are located in the directory where you ran the openssl command.
  • You can type pwd to figure out the location of the files, or use a search feature of your operating system.

Step 6: Copy and paste this command into your terminal, to package the .crt and .key file into a .pfx file:

Linux and Mac:

openssl pkcs12 -export -in testapp1.crt -inkey testapp1.key -out testapp1.pfx

Windows:

openssl.exe pkcs12 -export -in testapp1.crt -inkey testapp1.key -out testapp1.pfx

Step 7: Click enter to run the command.

Step 8: You are prompted to enter a password. Create a password and save it for when you use the .pfx file.

Step 9: You should now have your PKCS#12 file with the file name testapp1.pfx .

Microsoft .NET

exe: MakeCert.exe

Location: C:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools

Step 1: Create the .cer and .pvk, you are prompted to create a password:

MakeCert -r -pe -ss IPPSampleStoreName -n "CN=IPPSample" IPPSample.cer 
         -sky exchange -sv IPPSample.pvk

Step 2: Export the certificate to Base64 format.

Note: Be sure to export the certificate to Base64 format before uploading it.

  • Open IPPSample.cer (either start ippsample.cer from command line or double click it from an explorer window).
  • Select Details tab, and click the Copy to File button.
  • In the Export Wizard, select Next, Base-64 encoded X.509(.CER), Next, Enter a file name, Finish.

Step 3: Combine both files into the .pfx file which is easily used by the .Net framework. Password is "facade" for this example:

pvk2pfx -pvk IPPSample.pvk -pi facade -spc IPPSample.cer 
        -pfx IPPSample.pfx -f

Certificates in .PEM Format

If you choose to upload a .PEM file, the certificate must be Base-64 encoded with 1024-bit RSA key. The following example shows an X.509 certificate that is Base-64 encoded:

-----BEGIN CERTIFICATE-----
MIIC9jCCAl+gAwIBAgIJAParOnPwEkKlMA0GCSqGSIb3DQEBBQUAMIGKMQswCQYD
VQQGEwJMSzEQMA4GA1UECBMHV2VzdGVybjEQMA4GA1UEBxMHQ29sb21ibzEWMBQG
A1UEChMNU29mdHdhcmUgVmlldzERMA8GA1UECxMIVHJhaW5pbmcxLDAqBgNVBAMT
I1NvZnR3YXJlIFZpZXcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDcxMDA2
MzMxOFoXDTI0MDMxODA2MzMxOFowcjELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dl
c3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xFjAUBgNVBAoTDVNvZnR3YXJlIFZpZXcx
ETAPBgNVBAsTCFRyYWluaW5nMRQwEgYDVQQDEwtKYWNrIERhbmllbDCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAqAIsXru2kWzNXidrgyapDb7GdmhUwNFx1rOi
mDyu2RrJN9sIv0Zi2B0Kp1xSQiBPWabXbtt3wB1LzS2P19tMC+MW7BTYz0mRg4n9
vSoa+mTJ3Ea6/v4W97a701BSEOlTxysVltqgO+D3gD9uNVpjiCNjXP3FlXrw44aD
nXwme3sCAwEAAaN7MHkwCQYDVR0TBAIwADAdBgNVHQ4EFgQUDp+pbeXQHmYiubDc
tF8b+C4g6V0wHwYDVR0jBBgwFoAU1rdiaEM7sE7BtSqZhTWT9Tqn9RQwLAYJYIZI
AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMA0GCSqGSIb3
DQEBBQUAA4GBACcLqPwC9cATSqe+Kes5r6kcgo8eN3QME+HVSQocFSaRVrZ8iOrl
0NAXway2JOGdjIFCn2gU4NAkrDAzjJ1AlwrfCT/1FDL5hu4BTdY13ZpwBf5MU6LB
6x2tc+Jbo4bQrskEEIfGpOcyuB/wBJtJQeONjLuY2ouX9pvaaHj2cpzS
-----END CERTIFICATE-----

Convert jks keystore to p12 keystore

If you do have Keytool application and your JKS file, launch the one-line command:

keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] 
        -destkeystore [MY_FILE.p12]
        -deststoretype PKCS12 
        -deststorepass [PASSWORD_PKCS12] 
        -srcstorepass [PASSWORD_JKS]

You need to modify these parameters:

Parameter Description
MY_KEYSTORE.jks Path to the keystore that you want to convert.
MY_FILE.p12 Path to the PKCS#12 file (.p12 or .pfx extension) that is going to be created.
PASSWORD_PKCS12 Password that is requested at the PKCS#12 file opening.
PASSWORD_JKS Password that is requested at the JKS file opening.

Generating a PEM file

Step 1: Execute openssl to generate PEM file containing only private key.

openssl.exe pkcs12 -in [MY_FILE.p12] -nocerts -out [PRIVATE_KEY_FILE.pem]

You need to modify these parameters:

Parameter Description
PRIVATE_KEY_FILE Path to the PEM file that is created in step 2.
PRIVATE_KEY_RSA Path to the PEM file that is going to be created, which has a private key in RSA format.

Supported CA Certificates

TO-DO: VALIDATE THESE. The Finicity Facade supports the following certificates:

AddTrust Class 1, AddTrust External CA Root, AddTrust Qualified, America Online Root, Baltimore CyberTrust Code Signing Root, Baltimore CyberTrust Root, Certplus Class 2 Primary, Certplus Class 3P Primary, Certum, Certum Trusted Network, Chambers of Commerce Root, Comodo AAA Certificate Services, Deutsche Telekom Root, DigiCert, DigiCert Global Root, DigiCert High Assurance EV Root, Entrust Root, Entrust.net, Entrust.net Secure Server, Equifax Secure, Equifax Secure eBusiness, Equifax Secure Global eBusiness, GeoTrust Global, GeoTrust Primary, GeoTrust Universal, Global Chambersign Root, GlobalSign Root, Go Daddy Class 2, Go Daddy Intermediate, GTE CyberTrust Global Root, GTE CyberTrust Root 5, KEYNECTIS ROOT, QuoVadis Root, QuoVadis Root 2, Security Communication EV RootCA1, Security Communication RootCA1, Security Communication RootCA2, Sonera Class1, Sonera Class2, Starfield Class 2, SwissSign Gold, SwissSign Platinum, SwissSign Silver, TC TrustCenter Class 4, TC TrustCenter Universal, Thawte Personal Freemail, Thawte Premium Server, Thawte Primary Root, Thawte Server, Thawte Timestamping, TrustCenter, T-TeleSec GlobalRoot Class 2, T-TeleSec GlobalRoot Class 3, UTN - DATACorp SGC, UTN-USERFirst-Client Authentication and Email, UTN-USERFirst-Hardware, UTN-USERFirst-Object, ValiCert Class 1 Policy, ValiCert Class 2, VeriSign Class 1 Public Primary, VeriSign Class 2 Public Primary, Verisign Class 3 Public Primary, VeriSign Universal Root

Note: To complete your integration, you need to upload your X.509 certificate. If you choose to upload a .PEM file, the certificate must be Base-64 encoded with up to a 2048-bit RSA key.

f

 

sdf

fsd

 

Have more questions? Submit a request

Comments

Powered by Zendesk