Skip to main content

Order your EU Qualified Website Authentication Certificate PSD2

CertCentral Europe: Learn how to order an EU Qualified Website Authentication Certificate PSD2

An EU Qualified Website Authentication Certificate PSD2 is an eIDAS Qualified certificate (QCP-w-psd2) issued to an organisation for website authentication and used to meet the Payment Services Directive 2 (PSD2) requirements. Used to identify banks and payment service providers (PSPs), verify the roles for which they are licensed, encrypt website traffic, and identify who controls the domain.

The EU Qualified Website Authentication Certificate PSD2 is only available in DigiCert's European instance of CertCentral, where we store your data in our Europe data centers. To learn more about DigiCert privacy policy and data collection, see EU (eIDAS) products.

Before you begin

CSR requirements

You must provide a certificate signing request (CSR) with your request. EU Qualified Website Authentication Certificate PSD2 supports the RSA algorithm and 2048, 3072, and 4096 key lengths. The ECC algorithm is not supported.

For your certificates to remain secure, they must use at least a 2048-bit key size. Learn how to Create a CSR (Certificate Signing Request).

Domain validation

Before DigiCert can issue your certificate, you must demonstrate control over the domains on the certificate order. Use one of the following domain validation options to demonstrate control over the domains:

  • Complete domain validation before you place the request

    CertCentral features a domain validation process that allows you to validate your domains before ordering certificates. Completing the domain validation ahead of time allows for quicker certificate issuance. See Domain validation: Domain control validation (DCV) methods.

  • Validate the domain as part of the order process

    If you add a new domain or a domain with expired validation (domain validation is valid for 397 days) to your certificate order, you can complete the domain validation as part of the order process. See Supported DCV methods for validating the domains on certificate orders.

Organization validation

Before DigiCert can issue your certificate, we must validate the organization. Organization validation is valid for approximately 13 months. See How do we validate your organization.

If you add a new organization or an organization with expired validation, DigiCert will complete the organization validation as part of the order process.

Order your EU Qualified Website Authentication Certificate PSD2

  1. In CertCentral, in the left menu, go to Request a Certificate > EU (EIDAS) > EU Qualified Website Authentication Certificate PSD2.

  2. On the Request EU Qualified Web Authentication Certificate PSD2 page, in the For menu, select the division to manage the certificate.

    The For menu only appears if your account uses Divisions.

  3. Add your CSR

    We use the information in your CSR to auto-populate corresponding values in the order form: Common Name, SANs, and Organization. If you leave any of this information out of the CSR, the corresponding field in the form is left blank.

    If the organization in the CSR already exists in your account, we auto-populate the Organization Contact card with the contact assigned to that organization.

    Under Certificate Settings, upload your CSR or paste it into the Add Your CSR box. Your CSR must include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.

    Note: Your CSR must use the RSA algorithm, as the ECC algorithm is not supported. For certificates to remain secure, the CSR must use keys at least 2048 bits in length.

  4. Common name and subject alternative names (SANs)

    After adding your CSR, we auto-populate the Common name and SANs (optional) boxes with the common name and SANs included in the CSR.

    You can still change the common name and reorder, add or remove additional SANs as needed.

    Note: The EU Qualified Website Authentication Certificate PSD2 only supports fully qualified domain names. You cannot include a wildcard domain or IP address in your certificate.

  5. Validity period (optional)

    DigiCert recommends using the default 1 year option unless you have a specific reason for adding a custom expiration date or custom length.

  6. Payment service provider roles

    Under Payment service provider roles, select the roles that apply to the organization included in the certificate::

    • PSP-AS (account servicing)

      A payment service provider who manages and maintains merchant accounts, ensuring compliance with industry standards

    • PSP-PI (payment initiation)

      A payment service provider who initiates and processes payment transactions on merchants' behalf, ensuring secure and efficient transactions from initiation to settlement

    • PSP-AI (account information)

      A payment service provider who provides merchants with access to their customers' account data, such as transaction history, balance, and account status, and may include services like account aggregation, data analytics, and reporting

    • PSP-IC (issuing of card-based payment instruments)

      A payment service provider who creates and manages payment cards, such as credit or debit cards, on behalf of merchants, and may also include services like card management, cardholder authentication, and fraud detection

  7. Domain control validation (DCV)

    Before DigiCert can issue your certificate, you must demonstrate control over the domains included in your certificate. While placing the order, you can only select one DCV method for all domains on the order.

    After submitting your order, you can view the domains you need to validate on the certificate's pending order details page. You can use the DCV method selected while placing the order or use a different one per domain if required.

    1. DCV method

      Use the default DCV method. Or, in the DCV method menu, select your preferred DCV method to demonstrate control over the domains.

      DigiCert-supported DCV methods:

      • Verification email: To demonstrate control over the domain, an email recipient follows the instructions in a confirmation email sent for the domain.

      • DNS CNAME: Demonstrate control over the domain by adding a DigiCert-generated random value to the domain’s DNS as a CNAME record.

      • DNS TXT: Demonstrate control over the domain by adding a DigiCert-generated random value to the domain’s DNS as a TXT record.

      • HTTP Practical Demonstration: Demonstrate control over the domain by hosting a file containing a DigiCert-generated random value at a predetermined location on your website: http://{domain-name}/.well-known/pki-validation/fileauth.txt.

      • HTTP Practical Demonstration with unique filename: Demonstrate control over your domain by hosting a file with a DigiCert-generated random filename that contains a DigiCert-generated random value at a predetermined location on your website: http://{domain-name}/.well-known/pki-validation/{unique-filename}.txt.

      To learn more about the available DCV Methods, see Demonstrate control over domains on a pending certificate order.

    2. Email language

      Use the default language. Or, in the Email language menu, select your preferred language for the email. This option only appears when you select the Verification email DCV method.

    3. DCV scope

      Use the default DCV Scope setting that aligns with your CertCentral account's Domain validation scope setting. Or, in the DCV Scope menu, select the scope for demonstrating control over the domains on the request.

      Note: CertCentral administrators can go to Preferences page to configure their account's Domain validation scope setting (in the left menu, go to Settings > Preferences).

      Domain scope: Submit base domains versus Submit exact domain names

      From the request page, you can only select one DCV scope for all the domains on the order. However, after submitting the request, you can change the DCV scope per domain from the certificate's order details page.

      • Submit base domains, for example, subdomain.example.com

        When submitting subdomain.example.com, you must complete domain validation for the base domain, example.com. Validating the base domain also validates all subdomains of the base domain, such as subdomain.example.com and sub2.subdomain.example.com.

      • Submit exact domain names, for example, subdomain.example.com

        When submitting subdomain.example.com, you must complete domain validation for the domain exactly as named subdomain.example.com. Exact domain name validation only applies to that domain.

  8. Additional certificate options

    1. Signature hash

      By default, DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm. We recommend using the default RSA settings unless you have specific reasons for using a different key size or signing algorithm (for example, company policy requires an RSASSA-PSS signature).

      In the Signature hash menu, select the signature hash and signing algorithm you want DigiCert to use for your certificate:

      • sha256WithRSA

      • sha256WithRSAPSS

    2. Server platform

      In the Server platform menu, select the server or system on which you generated the CSR. When we email your certificate, the certificate format aligns with the format supported by the server or system.

      After we issue the certificate, you can change the format by downloading the certificate from the certificate's order page in CertCentral. See Download a TLS/SSL certificate from your CertCentral account.

  9. Organization

    Add the information about the organization to be included on the certificate. Only specific information about the organization will be included on the certificate, such as the organization's name.

    Add organization

    You can add an existing organization from your account or a new organization. If you add a new organization, it gets added to your account.

    Select Add an organization and in the Add Organization window, complete the following task as needed:

    1. Add a new organization

      1. Select Existing organization.

      2. In the Organization menu, select the organization and then select Add.

        If you choose an organization not validated for Qualified Website Authentication Certificate or the organization's validation has expired, DigiCert must validate the organization for Qualified Website Authentication Certificate validation before we issue your certificate.

      3. Organization and technical contacts

        DigiCert automatically adds the contacts assigned to the organization to the request form. Under Contacts, you can see the organization and technical contacts.

    2. Add a new organization

      1. Select New organization.

        DigiCert must validate the new organizations before we can issue your certificate. Learn more about organization validation.

      2. Enter the following information as needed:

        Legal name

        Organization name exactly as it appears in corporate registries, such as local government registration records.

        Assumed name (optional)

        Assumed name or doing business as name.

        Note: Adding an assumed name requires additional validation, which may delay organization validation and certificate issuance.

        Country

        Country where the organization is legally located.

        Address 1

        The address where the organization is legally located.

        Address 2 (optional)

        Additional address in formation, such as a Suite #.

        City

        City where the organization is legally located.

        State / Province / Region

        State, province, region where the organization is legally located.

        Zip / Postal code

        Zip or postal code where the organization is legally located.

        Phone number

        Organization's phone number.

        Note: DigiCert must call a verified organization phone number to confirm your authority to order a certificate for the organization. We verify this phone number against online third-party address listing sources like Google Business.

        Learn how we confirm your authority.

  10. Contacts – authorized representative

    You can add an existing authorized representative or a new one. You must add at least one authorized representative to your certificate request. However, you can add up to 15.

    Importante

    What is an authorized representative and why do I need to add one?

    The authorized representative is in the company registry, represents the organization, and has the authority to approve your EU Qualified Website Authentication Certificate PSD2 requests. Before DigiCert can issue your certificate, one of the authorized representatives in your request must approve the order.

    DigiCert validates all the authorized representatives in your request. Then, we send them the approval email and wait for one of them to approve your order. Only after one of the representatives approves the order can DigiCert issue your certificate.

    Under Contacts, select Add authorized representative. In the Add authorized representative window, complete the following task as needed:

    1. Add an existing authorized representative

      1. Select Existing contact.

      2. In the Contacts menu, select the contact you want to use as the authorized representative for this request.

        Note: If you select a contact who is not an existing authorized representative, we must validate them.

      3. Select Add.

    2. Add a new authorized representative

      1. Select New contact.

      2. Enter the contact's first and last name, job title, email address, and phone number, and then select Add.

  11. Contacts – Organization Contact

    The organization contact is the person we contact when validating the organization and verifying your authority to order a DigiCert certificate for the organization. They may also receive the following notifications: Order status updates for certificates requested for their organization and Domain status updates for domains associated with their organization.

    When you add a new organization, DigiCert automatically adds the certificate requestor as the organization contact. When you add an existing organization, DigiCert automatically adds the contacts assigned to the organization to the request form.

    To use a different organization contact

    1. To delete the organization contact that is automatically populated for you, select the trashcan image.

    2. Select Add contact.

      If you've already added a technical contact, select Add Organization Contact.

    3. In the Add Contact window, in the Contact Type menu, select Organization Contact.

    4. Add the contact:

      1. Add an existing contact

        Select Existing Contact. In the Contacts menu, select a contact and then select Add.

      2. Add new contact

        Select New Contact, enter the contact's first and last name, job title, email address, and phone number, and then select Add.

  12. Contacts – Technical Contact

    The technical contact is someone we may contact for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails: certificate issued, reissued, and expiring.

    When adding an existing organization, DigiCert automatically adds the contacts assigned to the organization to the request form.

    To use a different technical contact

    1. To delete the existing technical contact that is populated automatically for you, select the trashcan image.

    2. Select Add contact.

      If you've already added an organization contact, select Add Technical Contact.

    3. In the Add Contact window, in the Contact Type menu, select Technical Contact.

    4. Add the contact:

      1. Add an existing contact

        Select Existing Contact. In the Contacts menu, select a contact and then select Add.

      2. Add a new contact

        Select New Contact, enter the contact's first and last name, job title, email address, and phone number, and then select Add.

  13. Additional emails (optional)

    Enter the email addresses of the people you want to receive the certificate issuance, expiring certificate, and expiring order notifications. Use a comma to separate addresses or enter them on separate lines.

    These recipients don't manage the order. They only receive all the certificate-related emails.

  14. Additional order options – Order Specific Renewal Message

    To create a renewal message for this certificate, enter a renewal message with information that might be relevant to the certificate’s renewal.

    Comments and renewal messages are not included in the certificate.

  15. Select payment method

    Under Payment information, select a payment method to pay for the certificate.

  16. Master Services Agreement and Qualified Certificate Terms of Use

    Read the Master Services Agreement and the Qualified Certificate Terms of Use and select the following options to continue:

    • I have read and agree with the Master Services Agreement.

    • I have read and agree with the Qualified Certificate Terms of Use that apply to the eIDAS, PKIoverheid, or Swiss Qualified Certificate requested.

  17. Select Submit request.

What's next

CertCentral takes you to the certificate’s Order # details page, where you can see the status of your certificate order.

Payment service provider roles, domain validation and organization validation

Before we can issue your certificate, these tasks must be completed:

  1. Confirm Payment service provider roles

    DigiCert must confirm the Payment service provider roles to be included on your EU Qualified Website Authentication Certificate PSD2. For PSD2 certificates, DigiCert takes additional steps to verify specific attributes including name of the National Competent Authority (NCA), the PSD2 Authorisation Number or other recognized identifier, and PSD2 roles. These details are confirmed by DigiCert using authentic information from the NCA.

  2. Demonstrate control over the domains on your order

    Complete the domain validation for the domains on the order (demonstrate control over the domain). See Supported DCV methods for validating the domains on certificate orders.

  3. Complete organization validation

    DigiCert must validate and authenticate your authority to order a certificate for the organization on your certificate order. To do this, we will call a verified phone number to speak with someone who represents you, the certificate requestor, such as the organization or technical contact.

    To get organization consent for your certificate order:

    • Answer the organization/validation phone call (preferred method)*.

      • After you submit your certificate order, ensure that the organization contact, technical contact, and company receptionist know you’ve ordered an EU Qualified Website Authentication Certificate PSD2.

      • Let them know DigiCert will call a verified phone number to speak with one of them to complete organization validation/authentication.

      • This phone call usually takes place within 24 hours of the order being placed.

    • Respond to the organization consent message.

      • If the DigiCert validation agent can’t reach someone who represents you at the verified phone number, they will leave a message with a call-back phone number and a verification code.

      • Make sure that the organization or technical contact responds to the message and provides the verification code.

Certificate issuance

Once the validation process is complete, we will issue your certificate and email you a copy. You can also download a copy of the certificate from CertCentral. See our Get a copy of your TLS/SSL certificate instructions.