• Developers

  • Multicert root certificate is not trusted (PSD2)

Hello,

I am trying to register a PSD2 service provider by following the instructions here: https://doc.bunq.com/#/psd2.

When I call POST v1/payment-service-provider-credential I am getting back the following error:

Error message: Certificate root is not trusted. Make sure that the last certificate in the chain is the root certificate.

My certificate chain is the following:

  • MULTICERT Root Certification Authority 01
  • MULTICERT Trust Services Certification Authority 005

This website https://esignature.ec.europa.eu/efda/tl-browser/#/screen/tl/PT/5 indicates that the MULTICERT Root Certification Authority 01 has been Withdrawn. I have tried to submit the certificate chain with and without the MULTICERT Root Certification Authority 01 certificate and neither has worked.

Here are a few request IDs associated with my different attempts:

  • 456db879-8c9f-4046-b763-a96abc91e084
  • ccfe07c1-837f-4735-b73f-a4d622cfa234
  • b7293eca-4e93-4872-825e-aa0e5e6fa7d5
  • 8b1e27d8-70f5-4b48-9dca-3d01c3bbdfba

Can you help me figure out what is going on here?

Cheers,
Ryan

    Ryan changed the title to Multicert root certificate is not trusted (PSD2).

      Hey @Nikoleta, thanks for the quick reply.

      I used the instructions in that article to ensure the certificate chain was correct. I also tried every combination/ordering of the two certificates in the chain to validate that I had not made some simple error. Was there something specific in your end that indicated the chain was incorrectly constructed?

      Cheers,
      Ryan

        @New-Olive-Husky-2854555666#233043 Did you try this as a root instead? http://pkiroot.multicert.com/cert/index.html I tried it together with the "MULTICERT Trust Services Certification Authority 005" on my local machine's OpenSSL and it validated fine. Also that root is still valid until 2030 or so, so probably bunq has it in their trust store.

        To be exact: https://bin.veracry.pt/?9f8e7e10dd67d62b#D7cuPWnVuw2YK4iiLJhAuK8a8q3aaKJaxSsBzn7NNjRN
        And this tool https://certificatechain.io also gives the same output as the root cert that I found, so yes, pretty sure that's the correct one ;)

          @Jakob-Y#233050

          I did try to use that certificate as the root cert and I got a different error. I agree that the certificate says it should be valid but the EU Trust Services Dashboard has conflicting information.

          Some examples of what I tried and the result errors:

          The intermediate then the root cert
          chain file:
          cat MULTICERT_Trust_Services_Certification_Authority_005.pem MULTICERT_Root_Certification_Authority_01.pem > chain.pem
          error:
          Error message: Certificate root is not trusted. Make sure that the last certificate in the chain is the root certificate.

          The root cert then the intermediate
          chain file:
          cat MULTICERT_Root_Certification_Authority_01.pem MULTICERT_Trust_Services_Certification_Authority_005.pem > chain.pem
          error:
          Error message: Certificate "MULTICERT Root Certification Authority 01" expects the next certificate in the chain to be "MULTICERT Trust Services Certification Authority 005". Make sure the order of intermediate and root certificates are correct.

          Only the intermediate cert
          chain file:
          cat MULTICERT_Trust_Services_Certification_Authority_005.pem > chain.pem
          error:
          Error message: Certificate root is not trusted. Make sure that the last certificate in the chain is the root certificate.

          Only the root cert
          chain file:
          cat MULTICERT_Root_Certification_Authority_01.pem > chain.pem
          error:
          Error message: Certificate "MULTICERT Root Certification Authority 01" expects the next certificate in the chain to be "MULTICERT Trust Services Certification Authority 005". Make sure the order of intermediate and root certificates are correct.

            @New-Olive-Husky-2854555666#233051 Just a heads-up: the forum software here has a problem with multi-line comments (three ticks). Try to use only single-line comments (one tick). Otherwise other people won't be able to send any replies. I've edited both of your comments in order to reply, so no need to edit them :)

            Could you maybe look up what exact root certificate you're using? There are dozens with the same name "MULTICERT Root Certification Authority 01". The one on the EU site that one is old and probably shouldn't work anymore. It has serial number: 9193431768925881189 Did you try to use the one from my link? It has serial number: 6074693700342339162

            As for the order to supply them in, generally always from leaf to root. So intermediate first.

              @Jakob-Y#233052

              Oh, thanks for fixing that! I am using the certificate with serial number 6074693700342339162. I just retried to whole process again, with the intermediate and the root cert in the chain, and got the same Certificate root is not trusted error.

                @New-Olive-Husky-2854555666#233053 Well, if you've already been using 6074693700342339162, then I would give 9193431768925881189 a try instead. It seems to be older, but it is listed on the Trusted List. Otherwise, well at least I'm out of ideas. Maybe someone else know more about this, or bunq could give you another tip.

                  @Jakob-Y#233055 Unfortunately, the older certificate didn't work either.

                    @New-Olive-Husky-2854555666#233071 Hi!

                    Can you maybe contact technical support about this issue, via apipartner@bunq.com ?

                      Write a Reply...