{"id":26563,"date":"2018-07-25T16:28:07","date_gmt":"2018-07-25T14:28:07","guid":{"rendered":"https:\/\/powenscom.bigscoots-staging.com\/?p=26563"},"modified":"2026-05-02T11:54:30","modified_gmt":"2026-05-02T09:54:30","slug":"les-certificats-eidas","status":"publish","type":"post","link":"https:\/\/www.powens.com\/fr\/blog\/eidas-certificates\/","title":{"rendered":"Les certificats eIDAS"},"content":{"rendered":"\n<p>Une fois agr\u00e9\u00e9s, les TPP se retrouvent dans un registre national. En outre, les TT vont \u00eatre en mesure de se voir d\u00e9livrer des certificats eIDAS pour s\u2019authentifier et signer leurs appels aux API.<\/p>\n\n\n\n<p>Il existe deux types de certificats :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Les\u00a0<em>QWAC<\/em>\u00a0(<em>Qualified Website Authentication Certificates<\/em>), qui doivent \u00eatre utilis\u00e9s pour le chiffrement des communications au travers de TLS ;<\/li>\n\n\n\n<li>Les\u00a0<em>QSealC<\/em>\u00a0(<em>Qualified Electronic Seal Certificates<\/em>), qui ont pour objet de signer des requ\u00eates.<\/li>\n<\/ul>\n\n\n\n<p>Les deux types de certificats seront d\u00e9livr\u00e9s par des&nbsp;<em>QTSP<\/em>&nbsp;(<em>Qualified Trust Services Providers<\/em>), des autorit\u00e9s de certification reconnues par l\u2019Europe pour d\u00e9livrer des certificats eIDAS.<\/p>\n\n\n\n<p>Les deux ont un r\u00f4le \u00e0 jouer dans le cadre des API DSP2. Le premier va \u00eatre pr\u00e9sent\u00e9 par le TPP lors de l\u2019\u00e9tablissement de la session TLS, et doit donc \u00eatre valid\u00e9 par le serveur web non seulement comme \u00e9tant correctement \u00e9mis par un QTSP, mais \u00e9galement extraire les informations du certificat X.509 correspondant \u00e0 son agr\u00e9ment.<\/p>\n\n\n\n<p>L\u2019<em>ETSI<\/em>&nbsp;(<em>European Telecom\u2019s and Standards Institution<\/em>) a&nbsp;<a href=\"https:\/\/www.etsi.org\/deliver\/etsi_ts\/119400_119499\/119495\/01.01.01_60\/ts_119495v010101p.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">publi\u00e9 en mai 2018 la norme<\/a>&nbsp;concernant la nomenclature \u00e0 suivre au sein d\u2019un certificat X.509 pour int\u00e9grer les informations li\u00e9es \u00e0 la PSD2. Cela se fait au sein du champ&nbsp;<em>O(rganization)<\/em>&nbsp;du certificat, en concat\u00e9nant les informations suivantes :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cPSD\u201d<\/li>\n\n\n\n<li>Code ISO 3166 du pays de la NCA (l\u2019autorit\u00e9 nationale comp\u00e9tente)<\/li>\n\n\n\n<li>\u201c-\u201d<\/li>\n\n\n\n<li>Identifiant de la NCA<\/li>\n\n\n\n<li>\u201c-\u201d<\/li>\n\n\n\n<li>Le num\u00e9ro d\u2019agr\u00e9ment du TPP d\u00e9livr\u00e9 par la NCA<\/li>\n<\/ul>\n\n\n\n<p>Par exemple, le champ&nbsp;<em>O<\/em>&nbsp;du certificat de Budget Insight sera&nbsp;<em>\u201cPSDFR-ACPR-16948\u201d<\/em>.<\/p>\n\n\n\n<p>Ce sont ces informations que l\u2019ASPSP doit \u00e9galement valider aupr\u00e8s du registre de l\u2019autorit\u00e9, afin de s\u2019assurer du droit d\u2019exercer du TPP. En effet, le QTSP est qualifi\u00e9 pour valider qu\u2019un TPP d\u00e9tient l\u2019agr\u00e9ment \u00e0 un instant donn\u00e9, mais le certificat a une dur\u00e9e de vie de plusieurs ann\u00e9es.<\/p>\n\n\n\n<p>Le second certificat sert \u00e0 signer les requ\u00eates au sein de la session HTTP. L\u2019<a href=\"https:\/\/www.stet.eu\/en\/psd2\/\" target=\"_blank\" rel=\"noreferrer noopener\">API STET<\/a>&nbsp;se base sur la norme&nbsp;<a href=\"https:\/\/datatracker.ietf.org\/doc\/draft-cavage-http-signatures\/\" target=\"_blank\" rel=\"noreferrer noopener\">HTTP Signature<\/a>&nbsp;(encore \u00e0 l\u2019\u00e9tat de&nbsp;<em>draft<\/em>) pour signer le contenu. La version 1.4 de l\u2019API STET inclura la m\u00e9canique \u00e0 utiliser pour transmettre le certificat, se reposant sur une URL au sein du champ&nbsp;<em>keyid<\/em>.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>POST \/v1\/payment-requests HTTP\/1.1\n\nDate: 2018-07-08T09:33:55.375+02:00\n\nPSU-Date: 2018-07-08T09:33:55.954+02:00\n\nAccept: application\/hal+json; charset=utf-8\n\nPSU-GEO-Location: GEO:52.506931,13.144558\n\nX-Request-ID: GGF3YUD3BDJK\n\nPSU-Referer: https:\/\/demo.biapi.pro\/2.0\/auth\/share\/\n\nPSU-IP-Port: 12345\n\nPSU-Accept: text\/plain\n\nAuthorization: Bearer X1xTLdRL3KpNya\/QUTN_9Ggtdr9QFHaj\n\nPSU-Accept-Charset: utf-8\n\nPSU-Accept-Encoding: gzip, deflate\n\nPSU-IP-Address: 10.10.10.10\n\nPSU-User-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36(KHTML, like Gecko) Chrome\/50.0.2661.75 Safari\/537.36\n\nPSU-HTTP-Method: POST\n\nPSU-Accept-Language: en-US\n\nContent-Type: application\/json\n\nUser-Agent: Budgea\/2.0\n\nDigest: SHA-256=T7FMsJqT\/o8xiHbq\/GoeI879JoC0Je77w5fTUlpCyrM=\n\nContent-Length: 1589\n\nSignature: keyId=\"https:\/\/biapi.pro\/qsealc.crt\",algorithm=\"rsa-sha256\",headers=\"date psu-date accept psu-geo-location x-requestid psu-referer psu-ip-port psu-accept authorization psu-accept-charset psu-accept-encoding psu-ip-address psu-user-agent psu-http-method psu-accept-language content-type user-agent digest content-length (requesttarget)\",signature=\"tCYCZAGxVZLMlo87gHeXyPs2RkoNvOhCdsPvjkGhwkHlU1kT8xRBT3lybCT2UcjFrd2WroWaXexC3pYNYHJTwPN9HRV6dVXNRn3Ba2\/BOA2n2g\/+RELeAX318buwuEzQqAUOfci9d6d52X00+a5Dpb7h91T0zZuMBsPcxK6n2Sw=\"<\/code><\/pre>\n<\/blockquote>\n\n\n\n<p>L\u2019attention doit s\u2019accorder sur l\u2019en-t\u00eate\u00a0<em>Digest<\/em>\u00a0qui contient un condensat du\u00a0<em>body<\/em>\u00a0(non retranscrit), et l\u2019en-t\u00eate\u00a0<em>Signature<\/em>\u00a0qui est compos\u00e9 d\u2019un\u00a0<em>keyID<\/em>\u00a0ayant l\u2019URL vers le certificat, de l\u2019algorithme utilis\u00e9, des en-t\u00eates qui sont sign\u00e9s, et de la signature.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Une fois agr\u00e9\u00e9s, les TPP se retrouvent dans un registre national. En outre, les TT vont \u00eatre en mesure de se voir d\u00e9livrer des certificats eIDAS pour s\u2019authentifier et signer leurs appels aux API. Il existe deux types de certificats : Les deux types de certificats seront d\u00e9livr\u00e9s par des&nbsp;QTSP&nbsp;(Qualified Trust Services Providers), des autorit\u00e9s [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":28081,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[234],"tags":[],"class_list":["post-26563","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-reglementation-conformite"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.powens.com\/fr\/wp-json\/wp\/v2\/posts\/26563","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.powens.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.powens.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.powens.com\/fr\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.powens.com\/fr\/wp-json\/wp\/v2\/comments?post=26563"}],"version-history":[{"count":1,"href":"https:\/\/www.powens.com\/fr\/wp-json\/wp\/v2\/posts\/26563\/revisions"}],"predecessor-version":[{"id":26564,"href":"https:\/\/www.powens.com\/fr\/wp-json\/wp\/v2\/posts\/26563\/revisions\/26564"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.powens.com\/fr\/wp-json\/wp\/v2\/media\/28081"}],"wp:attachment":[{"href":"https:\/\/www.powens.com\/fr\/wp-json\/wp\/v2\/media?parent=26563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.powens.com\/fr\/wp-json\/wp\/v2\/categories?post=26563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.powens.com\/fr\/wp-json\/wp\/v2\/tags?post=26563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}