0

I try to create java server which could be verificat client qwac certificate (TLS). I load to trustcacerts certificates from all urls from https://ec.europa.eu/tools/lotl/eu-lotl.xml in tags , than via postman try to make request to https to my server (connected pfx of qwac certificate), but get an error: SSL Error: Unable to verify the first certificate. Please help, what I make wrong and how to verify client certificate? Thanks!

Николай Деменков
  • 41
  • 9
  • Does this answer your question? [OpenSSL: unable to verify the first certificate for Experian URL](https://stackoverflow.com/questions/7587851/openssl-unable-to-verify-the-first-certificate-for-experian-url) – pringi Mar 31 '22 at 11:32
  • Thanks for answer, but I think no. It's some specific with eIDAS certificates – Николай Деменков Mar 31 '22 at 11:37
  • I think this is not so simple. you need to get to each national authority (for example http://www.nmhh.hu/tl/pub/HU_TL.xml) then need to choose right root certificates (because not all are used for QWAC) and add those (probably full chains). also remember that if you want to really validate QWAC for PSD2 you need to check its properties + revocation lists + passporting rights. – Fedor Mar 31 '22 at 12:14
  • yes, i get root certificate for each country, from tag or what you means? – Николай Деменков Mar 31 '22 at 12:25
  • I suspect you're still missing certificates. It's been a while, but I seem to remember that some of the LOTL-certificates were signed by authorities that weren't in my `cacerts`. So to construct a full chain of trust, I also needed to load in certificates from Microsoft Trusted Root Certificate Program. Be warned that it is **_NOT_** enough to only validate the chain of trust though. You also need to check `organizationIdentifier (OID: 2.5.4.97)` and `qcStatements (OID: 1.3.6.1.5.5.7.1.3)` and validate this information against e.g. the Preta directory. – Rune Vikestad May 23 '22 at 07:54

1 Answers1

0

This is an old question, but maybe my answer will be relevant for someone.

I wrote a script extracting CA certificates from the eIDAS Trust List: https://github.com/fed239/eidas-tsp-certificates-extractor

The extracted certificates are to be put in a trust store used for verification of client certificates.

Fedor
  • 1,392
  • 1
  • 17
  • 30