Certificates

Production certificates

If you want to use BankID in a production environment, then you will have to purchase this service from one of the selling banks. They will then provide you with a certificate that can be used to authenticate your company/application with the BankID servers.

This certificate has to be processed somewhat to be able to use with PyBankID, and how to do this depends on what the selling bank provides you with.

Test certificate

The certificate to use when developing against the BankID test servers can be obtained through PyBankID:

>>> import os
>>> import bankid
>>> dir_to_save_cert_and_key_in = os.path.expanduser('~')
>>> cert_and_key = bankid.create_bankid_test_server_cert_and_key(
...     dir_to_save_cert_and_key_in
... )
>>> print(cert_and_key)
['/home/hbldh/certificate.pem', '/home/hbldh/key.pem']
>>> client = bankid.BankIDJSONClient(
...     certificates=cert_and_key,
...     test_server=True
... )

The test certificate is available on BankID Technical Information webpage. The bankid.certutils.create_bankid_test_server_cert_and_key() in the bankid.certutils module fetches that test certificate, splits it into one certificate and one key part and converts it from .p12 or .pfx format to pem. These can then be used for testing purposes, by sending in test_server=True keyword in the BankIDClient or BankIDAsyncClient.

Splitting certificates

To convert your production certificate from PKCS_12 format to two pem, ready to be used by PyBankID, one can do the following:

>>> from bankid.certutils import split_certificate
>>> split_certificate(
...     '/path/to/certificate.p12',
...     '/destination/folder/',
...     'password_for_certificate_p12',
... )
('/destination/folder/certificate.pem', '/destination/folder/key.pem')

It can also be done via regular OpenSSL terminal calls:

openssl pkcs12 -in /path/to/certificate.p12 -passin pass:password_for_certificate_p12 -out /destination/folder/certificate.pem -clcerts -nokeys
openssl pkcs12 -in /path/to/certificate.p12 -passin pass:password_for_certificate_p12 -out /destination/folder/key.pem -nocerts  -nodes

Note

This also removes the password from the private key in the certificate, which is a requirement for using the PyBankID package in an automated way.

API

bankid.certutils – Certificate Utilities

bankid.certutils.create_bankid_test_server_cert_and_key(destination_path: str) Tuple[str][source]

Split the bundled test certificate into certificate and key parts and save them as separate files, stored in PEM format.

If the environment variable TEST_CERT_FILE is set, use this file instead of fetching the P12 certificate.

Parameters:

destination_path (str) – The directory to save certificate and key files to.

Returns:

The path tuple (cert_path, key_path).

Return type:

tuple

bankid.certutils.split_certificate(certificate_path, destination_folder, password=None)[source]

Splits a PKCS12 certificate into Base64-encoded DER certificate and key.

This method splits a potentially password-protected PKCS12 certificate (format .p12 or .pfx) into one certificate and one key part, both in pem format.

Returns:

Tuple of certificate and key string data.

Return type:

tuple