Bancontact PKI overview

Content

• Content
• Bancontact PKI hierarchy
• List of Root Certificates (8)
• List of Intermediate Certificates (35)
• Location of Certificate Revocation Lists
• OCSP Responders
• Bancontact EMV 3DS encryption certificates

Bancontact PKI hierarchy

The Bancontact PKI is split up in 6 parts which each part having it’s distinct area of usage:

• Production chain for Transactions purposes:
  • BC-MC Root CA
• Production chain for Administrative purposes:
  • Bancontact Administrative Root CA
  • Bancontact Individual Root CA
• Test chain for Transactions purposes:
  • TEST BC-MC Root CA
• Test chain for Administrative purposes:
  • TEST Bancontact Administrative Root CA
  • TEST Bancontact Individual Root CA
• Dev chain for Transactions purposes:
  • DEV BC-MC Root CA
• Dev chain for Administrative purposes:
  • DEV Bancontact Administrative Root CA

List of Root Certificates (8)

The root certificates are kept offline and are only used to issue the intermediate subCA’s defined in the next section.

• BC-MC Root CA (RSA 4096, CN=BC-MC Root CA, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): BC2AC3DCA39B382445BA852652CF203F93CAACFA
  • Thumbprint (SHA256): E81EA54A14361282824376A24C2A79756615F4C7F99A5332D6508D7C1204F140
  • Valid until: 2043/12/31
  • Certificate Revocation List: 1, 2
  • Status: ✅ ACTIVE, used for issuing.
  • der, pem, txt

• Bancontact Administrative Root CA (RSA 4096, CN=Bancontact Administrative Root CA, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 2EB59D7795AF1092D3D51DEF4BE9E59DB06BDF92
  • Thumbprint (SHA256): 95A48F6E649DC879DFF5D519EFB7A9D17C0CA4BE3F141C387155F9EBE553D646
  • Valid until: 2043/12/31
  • Certificate Revocation List: 1, 2
  • Status: ✅ ACTIVE, used for issuing.
  • der, pem, txt

• Bancontact Individual Root CA (RSA 4096, CN=Bancontact Individual Root CA, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 4C131ED32FD0EE09670F4548F9FBD621D1D8C804
  • Thumbprint (SHA256): 0C32DA72104C19BD19CC85386DEF4A04B00C83435E99C05BA5A0475FA4D973A6
  • Valid until: 2043/12/31
  • Certificate Revocation List: 1, 2
  • Status: ✅ ACTIVE, used for issuing.
  • der, pem, txt

• TEST BC-MC Root CA (RSA 4096, CN=TEST BC-MC Root CA, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): 4606450E8333E1AD9059FAA3D273CB17122959B9
  • Thumbprint (SHA256): E09F0AB5FCEBDEF356CE31DA869F571D72F4779BA16FF3647E30E824157EF47A
  • Valid until: 2044/12/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt

• TEST Bancontact Administrative Root CA (RSA 4096, CN=TEST Bancontact Administrative Root CA, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 6A54B62D9DDC39B4B955A75C370E8D241F361574
  • Thumbprint (SHA256): FCA9B0B85F3E3B07632F426E94D49D10047D94703CBD2B9A2CE6AF140473DFB6
  • Valid until: 2043/12/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt

• TEST Bancontact Individual Root CA (RSA 4096, CN=TEST Bancontact Individual Root CA, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 7C95EA67BCA7CACD918AD6EC88AF8C52039EF1B5
  • Thumbprint (SHA256): 30185FFF8D64BA604E6FE1DDCB20FB84D8539CE90FE9F913D33D2EBDD47BF53A
  • Valid until: 2043/12/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt

• DEV BC-MC Root CA (RSA 4096, CN=DEV BC-MC Root CA, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): F130BCEB9548E7CA140405E36E92033E2A5FAFB7
  • Thumbprint (SHA256): 39B2177E4A33C495B2477B8110BA2FB8D676409268CEF32948F04F935F361241
  • Valid until: 2033/02/26
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1
  • der, pem, txt

• DEV Bancontact Administrative Root CA (RSA 4096, CN=DEV Bancontact Administrative Root CA, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): E95210512124BA6117CE14D823B477F763983170
  • Thumbprint (SHA256): A97D400F6FCA7CCAD7CEC456665756D35F071A210360BA0FE5B60CE66E4A7DE7
  • Valid until: 2033/02/26
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1
  • der, pem, txt

List of Intermediate Certificates (35)

The intermediate certificates are the ones that actually issue the end entity certificates.

Signed by BC-MC Root CA

• Bancontact PROD Acceptance Services subCA R1 (RSA 4096, CN=Bancontact PROD Acceptance Services subCA R1, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): C4F102F47B7DC86DB18FD5E8CD3BFE031F27D036
  • Thumbprint (SHA256): 3C10C6DBEE9C88442402A0460B5B4C2D9696C41C89AEF11FDC750FCD9D8121CE
  • Valid until: 2033/02/08
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1
  • OCSP responder: http://ocsp.pki.bancontact.net
  • der, pem, txt, der-chain, pem-chain, txt-chain

• Bancontact PROD Authorization and Scheme Services subCA R1 (RSA 4096, CN=Bancontact PROD Authorization and Scheme Services subCA R1, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 67AFD657927BE1959756C684EE9D1994EC5D6628
  • Thumbprint (SHA256): CC1181D51308BD6CB3C2AC735DA3009E19356A6F6A55CE7678B7E87CC8D9E140
  • Valid until: 2033/02/08
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1
  • OCSP responder: http://ocsp.pki.bancontact.net
  • der, pem, txt, der-chain, pem-chain, txt-chain

• BC-MC E&M ACS and DS SubCA L2 (RSA 4096, CN=BC-MC E&M ACS and DS SubCA L2, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 0C7CE3FE7A43CA2C134C2BAE48AD430F0E82F4CF
  • Thumbprint (SHA256): 6E327DEBFF77EA32FF9EBCCB650C4C7D7CABD59A6A675D73D7D6D7A5D4E5B89A
  • Valid until: 2031/10/31
  • Status: ⚠️ SUNSETTING, limited availability.
    • ➡️ Superseded by Bancontact PROD Authorization and Scheme Services subCA R1
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• BC-MC E&M ACS and DS SubCA L2 (RSA 4096,CN = BE, L = Brussels, O = Bancontact-MisterCash nv/sa - BE 0884.499.250, CN = BC-MC E&M ACS and DS SubCA L2)

  • Thumbprint (SHA1): 3F00BDFC04D66128F4CB042C4C14F0110808DC35
  • Thumbprint (SHA256): 45D864D106180D8D1F4F5F0AA916C713098B297046167FFDC99C86AEB69BEBBD
  • Valid until: 2023/12/31
  • Status: 💀 EXPIRED, not used for issueing.
    • ➡️ Superseded by Bancontact PROD Authorization and Scheme Services subCA R1
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• BC-MC E&M PSP and TX Manager SubCA L2 (RSA 4096, CN=BC-MC E&M PSP and TX Manager SubCA L2, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 54AE7EC7250C27CFD818DF9EF01275E13E5555CB
  • Thumbprint (SHA256): 9E610A48BE5EC84AFCDE52FE0EAF8C75F6B7CD2F0A44E531F74E597B77A65440
  • Valid until: 2031/10/31
  • Status: ⚠️ SUNSETTING, limited availability.
    • ➡️ Superseded by Bancontact PROD Acceptance Services subCA R1
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• BC-MC E&M PSP and TX Manager SubCA L2 (RSA 4096, CN = BE, L = Brussels, O = Bancontact-MisterCash nv/sa - BE 0884.499.250, CN = BC-MC E&M PSP and TX Manager SubCA L2)

  • Thumbprint (SHA1): FA36CACA171FCA01EC3F75925CC418C7CAA0BF8A
  • Thumbprint (SHA256): 51A3427408E7AE403C9C2BB044AFF29F089534DA729B3351CEE92E77508B36D6
  • Valid until: 2023/12/31
  • Status: 💀 EXPIRED, not used for issueing.
    • ➡️ Superseded by Bancontact PROD Acceptance Services subCA R1
  • Certificate Revocation List: 1
  • der, pem, txt, der-chain, pem-chain, txt-chain

• BC-MC SMIME Individual SubCA L2 (RSA 4096, CN=BC-MC SMIME Individual SubCA L2, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): 5905DA344D598AC1A1952E1299B59CE102FB4A7B
  • Thumbprint (SHA256): EA9B2BDC7033128BAB6E5CB3B35EFE5660F96EE7B918AB18BAF216F0AC7FB2E0
  • Valid until: 2023/12/31
  • Status: 💀 EXPIRED, not used for issuieng.
    • ➡️ Superseded by BC-MC SMIME Individual SubCA L2 (new)
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• BC-MC SMIME Individual SubCA L2 (new) (RSA 4096, CN=BC-MC SMIME Individual SubCA L2, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): 003858D8F631A384DB1F91E1A53A2770E493149B
  • Thumbprint (SHA256): 984D4D75FBB0A766991DD0A00BC5AB129ED577EE152207D4F48FFB899EB044D5
  • Valid until: 2024/11/27
  • Status: ❗ RETIRED, not used for issueing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• BC-MC SMIME System SubCA L2 (RSA 4096, CN=BC-MC SMIME System SubCA L2, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): DEEE6B366350D69A1A6E4AB2EF133B2FD8E50072
  • Thumbprint (SHA256): 157FEEB179BC1060E472D986A03DEECDD2DE78E86BC7E7878A4391AC0EBA5496
  • Valid until: 2023/12/31
  • Status: 💀 EXPIRED, not used for issueing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• BC-MC SSL Server SubCA L2 (RSA 4096, CN=BC-MC SSL Server SubCA L2, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): E5ECB0254CF0471087C335EC81517882BD88DDB4
  • Thumbprint (SHA256): A884D955567483B06C2B30DC72E617F2DE68B35F7B975D131DC1E841E9DDDBBC
  • Valid until: 2023/12/31
  • Status: 💀 EXPIRED, not used for issueing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• BC-MC SSL Client System SubCA L2 (RSA 4096, CN = BE, L = Brussels, O = Bancontact-MisterCash nv/sa - BE 0884.499.250, CN = BC-MC SSL Client System SubCA L2)

  • Thumbprint (SHA1): 0DDCF24262495BAFA3EA69A1EFC336C1EB1C14C3
  • Thumbprint (SHA256): 64DEDDCFBC3CD18A2B1D85C787EC58B972F496C815B2EC5A6A8E6AB520A41B8B
  • Valid until: 2023/12/31
  • Status: 💀 EXPIRED, not used for issueing.
  • Certificate Revocation List: 1 (offline), 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• BC-MC SSL Client Individual SubCA L2 (RSA 4096, CN = BE, L = Brussels, O = Bancontact-MisterCash nv/sa - BE 0884.499.250, CN = BC-MC SSL Client Individual SubCA L2)

  • Thumbprint (SHA1): 230CD611CA62B3B1590513AC91B42214C0DFD96E
  • Thumbprint (SHA256): 7E6CA36FFFF594B10647059D02C384E0095F13E1D66B4911F7CE6E1B5B019013
  • Valid until: 2023/12/31
  • Status: 💀 EXPIRED, not used for issueing.
  • Certificate Revocation List: 1 (offline), 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

Signed by TEST BC-MC Root CA

• Bancontact TEST Acceptance Services subCA R1 (RSA 4096, CN=Bancontact TEST Acceptance Services subCA R1, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 9931CB0F191848A941D5706499FD95CFE72A3DBA
  • Thumbprint (SHA256): BCDCB182BD0ABCFC15D1791E2E679E7E8CE7914CCFD9C1FA9F242B834D48818E
  • Valid until: 2032/11/30
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1
  • OCSP responder: http://ocsp.pki.bancontact.net
  • der, pem, txt, der-chain, pem-chain, txt-chain

• Bancontact TEST Authorization and Scheme Services subCA R1 (RSA 4096, CN=Bancontact TEST Authorization and Scheme Services subCA R1, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): BDA0FC17D86BCD93619D742C692599AC95C4EA3E
  • Thumbprint (SHA256): 1B781C67F8505D6D481181BCBAA736BF8018602C7B96C5E4D8A48A23EC9D8B11
  • Valid until: 2032/11/30
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1
  • OCSP responder: http://ocsp.pki.bancontact.net
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST Bancontact E&M ACS and DS SubCA L2 (RSA 4096, CN=TEST Bancontact E&M ACS and DS SubCA L2, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, C=BE)

  • Thumbprint (SHA1): 980F6455A0498413AE7CBE364010D43152968B72
  • Thumbprint (SHA256): 79B551A72B43C98C4D4C92AFD8C8585FBAC513A246A529C3C4206F070986CD63
  • Valid until: 2031/10/31
  • Status: ⚠️ SUNSETTING, limited availability.
    • ➡️ Superseded by Bancontact TEST Authorization and Scheme Services subCA R1
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST BC-MC E&M ACS and DS SubCA L2 (RSA 4096, CN=TEST BC-MC E&M ACS and DS SubCA L2, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): 4F7AB9FEE95D8692B40C804B7F9E069834C3B036
  • Thumbprint (SHA256): 68BC863862F0B472BB3F320DA603AE37F0959EAE7CDB85049074FC93B78D3376
  • Valid until: 2024/12/31
  • Status: ❗ RETIRED, not used for issueing.
    • ➡️ Superseded by Bancontact TEST Authorization and Scheme Services subCA R1
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST Bancontact E&M PSP and TX Manager SubCA L2 (RSA 4096, CN=TEST Bancontact E&M PSP and TX Manager SubCA L2, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, C=BE)

  • Thumbprint (SHA1): E8D158095210CDB5A40AEF241DCB1077249000D0
  • Thumbprint (SHA256): 31DBCA233B3B5A2AE8DCDB53A2A12DC6ABD96358627D9AE29B92BA5A44C5F797
  • Valid until: 2031/10/31
  • Status: ⚠️ SUNSETTING, limited availability.
    • ➡️ Superseded by Bancontact TEST Acceptance Services subCA R1
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST BC-MC E&M PSP and TX Manager SubCA L2 (RSA 4096, CN=TEST BC-MC E&M PSP and TX Manager SubCA L2, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): 1DB4802F9A3962F1E650F20DBDFC9AE3874BC261
  • Thumbprint (SHA256): 08D6C6989F58AFC6B7A2F2AA91D87E96E6C357040E2B2B42E31F13E192D76FBE
  • Valid until: 2024/12/31
  • Status: ❗ RETIRED, not used for issueing.
    • ➡️ Superseded by Bancontact TEST Acceptance Services subCA R1
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST BC-MC SMIME Individual SubCA L2 (RSA 4096, CN=TEST BC-MC SMIME Individual SubCA L2, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): CE98F25725ED486405C9F59290A77D54FD5B231B
  • Thumbprint (SHA256): F0C9529158C69E2F51E27A712588271C7FD34A6EF38856EE18EFADC1022B22FE
  • Valid until: 2024/12/31
  • Status: ⚠️ SUNSETTING, limited availability.
    • ➡️ Superseded by Bancontact TEST Acceptance Services subCA R1
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST BC-MC SMIME System SubCA L2 (RSA 4096, CN=TEST BC-MC SMIME System SubCA L2, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): 09A832D2EE4B7A58EA752E5A68225CFDD0588430
  • Thumbprint (SHA256): 635B07A30A7B939CDE58FD60BB15B4366BDA61E6A0F699C4A74C2247B32EFEC9
  • Valid until: 2024/12/31
  • Status: ⚠️ SUNSETTING, limited availability.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST BC-MC SSL Client Individual SubCA L2 (RSA 4096, CN=TEST BC-MC SSL Client Individual SubCA L2, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): E303BFCA47CADADCCC280695D63EF3DF15C88E10
  • Thumbprint (SHA256): D9245795DE71982BDC0778F30B42C38B318AD61AC67FA76BFDA8D30076C40FBF
  • Valid until: 2024/12/31
  • Status: ⚠️ SUNSETTING, limited availability.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST BC-MC SSL Client System SubCA L2 (RSA 4096, CN=TEST BC-MC SSL Client System SubCA L2, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): 3866E021DC3C72CA462FBDF158BBA5AEE04BA9CC
  • Thumbprint (SHA256): A18CEC4AEEA08DDEB7586976CC755126157093DA52F5EECC84581D6DDE39C316
  • Valid until: 2024/12/31
  • Status: ⚠️ SUNSETTING, limited availability.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST BC-MC SSL Server SubCA L2 (RSA 4096, CN=TEST BC-MC SSL Server SubCA L2, O=Bancontact-MisterCash nv/sa - BE 0884.499.250, L=Brussels, C=BE)

  • Thumbprint (SHA1): 6D7B64499E13683F5EC61CE1F118CDFDF1B557EE
  • Thumbprint (SHA256): C30C40A5943D99D84246F9134DEE015914839AE25326E2DD4DA9AB421EF563C8
  • Valid until: 2024/12/31
  • Status: ⚠️ SUNSETTING, limited availability.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

Signed by Bancontact Administrative Root CA

• Bancontact PROD TLS subCA R1 (RSA 4096, CN=Bancontact PROD TLS subCA R1, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): A32BC337F846999FF3EFC4F56B86CE42D07F37C9
  • Thumbprint (SHA256): EFB6728477105370C26871FB8279327223249B6A3371B87E40ACF464C7320738
  • Valid until: 2033/08/02
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1
  • OCSP responder: http://ocsp.pki.bancontact.net
  • der, pem, txt, der-chain, pem-chain, txt-chain

• Bancontact TLS Server SubCA L2 (RSA 4096, CN=Bancontact TLS Server SubCA L2, O=Bancontact Payconiq Company sa/nv - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): FBB7BD95A1DC75FD738040BA7CBF2CD9A8B382EB
  • Thumbprint (SHA256): A79C0667BA45BEFDED342BA1EFF59B2EEA7C56E75A8D580C9B6BCD7EC86FF3D6
  • Valid until: 2031/10/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• Bancontact SMIME System SubCA L2 (RSA 4096, CN=Bancontact SMIME System SubCA L2, O=Bancontact Payconiq Company sa/nv - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): D5916E0E82E4B02345D64D06D0C22317B6EFF5A4
  • Thumbprint (SHA256): 3FBA6C0F5A6A9100034B845BDE0C6456B633F62FCF541C0CEC908D45CAD4D81C
  • Valid until: 2031/10/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• Bancontact TLS Client SubCA L2 (RSA 4096, CN=Bancontact TLS Client SubCA L2, O=Bancontact Payconiq Company sa/nv - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 6904335F0AFCCC2D4510C34D160B731252D9B816
  • Thumbprint (SHA256): EA3E04B53498416D0BB979511280F37A0C7213A8086E960E774BACD6C3FD076F
  • Valid until: 2031/10/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

Signed by TEST Bancontact Administrative Root CA

• Bancontact TEST TLS subCA R1 (RSA 4096, CN=Bancontact TEST TLS subCA R1, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 327A3039E9B362DAB6721B97A066432771E04EE6
  • Thumbprint (SHA256): 3F7CEFB5AE582D08CF436F07967F2FE2CB4E3763C781AEDD048C3B42F5170FC1
  • Valid until: 2032/11/30
  • Status: ✅ ACTIVE, used for issuing.
  • OCSP responder: http://ocsp.pki.bancontact.net
  • Certificate Revocation List: 1
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST Bancontact SMIME System SubCA L2 (RSA 4096, CN=TEST Bancontact SMIME System SubCA L2, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, C=BE)

  • Thumbprint (SHA1): 2F75944A4976295E913C5FA54F7EA41906A6768A
  • Thumbprint (SHA256): 685E5043CED60CAAA054B1179D44268D8C431B9EA544822F28CE2E42B5141ECA
  • Valid until: 2031/10/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST Bancontact TLS Client SubCA L2 (RSA 4096, CN=TEST Bancontact TLS Client SubCA L2, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, C=BE)

  • Thumbprint (SHA1): 08D5AAFF2CEE8F1D2D1A93F108C85E3CF0D51727
  • Thumbprint (SHA256): 24CC6606FF90AFCC30583B17E204110B5AB5AEDEC4A51853475304F0BCCAFA69
  • Valid until: 2031/10/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST Bancontact TLS Server SubCA L2 (RSA 4096, CN=TEST Bancontact TLS Server SubCA L2, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, C=BE)

  • Thumbprint (SHA1): 27B9B462E226DD9E8B5772FEE4FD3944ACDCEAFE
  • Thumbprint (SHA256): 734A0F573244270C6F7BDA865AF30D68959EB5E0F7B37EEBD734ED00AE3AF285
  • Valid until: 2031/10/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

Signed by TEST Bancontact Individual Root CA

• TEST Bancontact SMIME Individual SubCA L2 (RSA 4096, CN=TEST Bancontact SMIME Individual SubCA L2, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, C=BE)

  • Thumbprint (SHA1): 1D58197C768A551C24490353AFAC13DE67468EC6
  • Thumbprint (SHA256): 158B78AE6436C67730169E3AE849E7A8E6BF15216AFEE3744534CCBA50B6E7F2
  • Valid until: 2031/10/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• TEST Bancontact TLS Client Individual SubCA L2 (RSA 4096, CN=TEST Bancontact TLS Client Individual SubCA L2, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, C=BE)

  • Thumbprint (SHA1): F254D0978BFA5E227A0AF1B620AC1DB1C61D5CFA
  • Thumbprint (SHA256): B5236753D2B74EBB568B049CA3ABBB6B278AF130E827F16B5D2C85CD6A7763C6
  • Valid until: 2031/10/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

Signed by Bancontact Individual Root CA

• Bancontact SMIME Individual SubCA L2 (RSA 4096, CN=Bancontact SMIME Individual SubCA L2, O=Bancontact Payconiq Company sa/nv - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 438C91870010CA5F470BA27190B9A716E86B8900
  • Thumbprint (SHA256): 7D646CE92B8BD30DA41036E24C44BD628D2DC68E2F08CA86E71C5E1F524C439E
  • Valid until: 2031/10/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

• Bancontact TLS Client Individual SubCA L2 (RSA 4096, CN=Bancontact TLS Client Individual SubCA L2, O=Bancontact Payconiq Company sa/nv - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 2DAFA768ABF9206F5A8B09A88A1E682635D1ABEE
  • Thumbprint (SHA256): 2AF635EB9391492C80F85C6C80FFCE93E99342AB1E3858603EC3141B1C815F2C
  • Valid until: 2031/10/31
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1, 2
  • der, pem, txt, der-chain, pem-chain, txt-chain

Signed by DEV BC-MC Root CA

• Bancontact DEV Acceptance Services subCA R1 (RSA 4096, CN=Bancontact DEV Acceptance Services subCA R1, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): ACEFCB5032746C381206AB92500A97D87E0A6239
  • Thumbprint (SHA256): F9222DF6E2D6E2A4D00B11A559E2E83E7E64F8F336578BBBF148D8C55F2D1CC5
  • Valid until: 2033/02/26
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1
  • OCSP responder: http://ocsp.pki.bancontact.net
  • der, pem, txt, der-chain, pem-chain, txt-chain

• Bancontact DEV Authorization and Scheme Services subCA R1 (RSA 4096, CN=Bancontact DEV Authorization and Scheme Services subCA R1, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): 1E4BDA8C9ED808E5C4E6EFC0C1323FF349CFC540
  • Thumbprint (SHA256): C172DE8D1868B66A52536E0DA3CDC83816918A2D597C2F8745971BB6CE5E6ACC
  • Valid until: 2033/02/26
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1
  • OCSP responder: http://ocsp.pki.bancontact.net
  • der, pem, txt, der-chain, pem-chain, txt-chain

Signed by DEV Bancontact Administrative Root CA

• Bancontact DEV TLS subCA R1 (RSA 4096, CN=Bancontact DEV TLS subCA R1, O=Bancontact Payconiq Company nv/sa - BE0675 984 882, L=Brussels, C=BE)

  • Thumbprint (SHA1): BEAC1B6145325E8399FB0A3428CCDDB5EE548B76
  • Thumbprint (SHA256): 79C34DF1D353541CD539C7EE411351B7718566A40018EC6CFE8BC46BB8500538
  • Valid until: 2033/02/26
  • Status: ✅ ACTIVE, used for issuing.
  • Certificate Revocation List: 1
  • OCSP responder: http://ocsp.pki.bancontact.net
  • der, pem, txt, der-chain, pem-chain, txt-chain

Location of Certificate Revocation Lists

Certificate revocation list files are public & available on:

• http://crl.bctops.be
• http://crl.banksys.be
• http://crl.pki.bancontact.net
• https://crl.bcmc-ops.be

OCSP Responders

For certificates issued by the following subCA’s an OCSP responder is available. This OCSP responder is available via http://ocsp.pki.bancontact.net

The list of sub CA’s which support revocation via OCSP are:

• Bancontact PROD Acceptance Services subCA R1
• Bancontact PROD Authorization and Scheme Services subCA R1
• Bancontact PROD TLS subCA SubCA R1
• Bancontact TEST Acceptance Services subCA R1
• Bancontact TEST Authorization and Scheme Services subCA R1
• Bancontact TEST TLS SubCA R1
• Bancontact DEV Acceptance Services subCA R1
• Bancontact DEV Authorization and Scheme Services subCA R1
• Bancontact DEV TLS SubCA R1

The following endpoints feature revoked & expired certificates for testing purposes:

• https://revoked-dev.pki.bancontact.net
• https://expired-dev.pki.bancontact.net
• https://revoked-tst.pki.bancontact.net
• https://expired-tst.pki.bancontact.net
• https://revoked-prd.pki.bancontact.net
• https://expired-prd.pki.bancontact.net

Bancontact EMV 3DS encryption certificates

Below is the list of public SDK encryption certificates the Bancontact Directory Server uses in “Function I: 3DS SDK Encryption to DS” defined in the EMV spec.

• Bancontact Production Directory Server (RSA 4096, CN=Bancontact prod DS SDK, O=Bancontact Payconiq Company NV - BE0675.984.882, L=Brussels, C=BE, Role=Directory Server, Role=3DSv2 DS, UID=999999)

  • Thumbprint (SHA1): BB3400789EDA731F535BCAE28611DF8A4E105F5A
  • Thumbprint (SHA256): 21ED8F40411EA89DFC29455AE166E0A471C7CA9F6F9B8E65D3B3EAC2295E6390
  • Valid until: 2032/10/06
  • Status: ✅ ACTIVE
  • Issued by: Bancontact PROD Authorization and Scheme Services subCA R1
  • Certificate Revocation List: 1
  • OCSP responder: http://ocsp.pki.bancontact.net
  • der, pem, txt, der-chain, pem-chain, txt-chain

• Bancontact Preproduction Directory Server (RSA 4096, CN=Bancontact preprod DS SDK, O=Bancontact Payconiq Company NV - BE0675.984.882, L=Brussels, C=BE, Role=Directory Server, Role=3DSv2 DS, UID=999999)

  • Thumbprint (SHA1): 77D89775B6A0F7464D7AC3B54037A7EF20D095A6
  • Thumbprint (SHA256): 6031DBA3DC54BBB48C9DE53219C6A26E4775F6D4B71C49F57C0762AA4C865793
  • Valid until: 2032/10/06
  • Status: ✅ ACTIVE
  • Issued by: Bancontact TEST Authorization and Scheme Services subCA R1
  • Certificate Revocation List: 1
  • OCSP responder: http://ocsp.pki.bancontact.net
  • der, pem, txt, der-chain, pem-chain, txt-chain

• Bancontact Acceptance Directory Server (RSA 4096, CN=Bancontact acc DS SDK, O=Bancontact Payconiq Company NV - BE0675.984.882, L=Brussels, C=BE, Role=Directory Server, Role=3DSv2 DS, UID=999999)

  • Thumbprint (SHA1): 17897D2B978924BB2EED4BD98DFEB1412684952E
  • Thumbprint (SHA256): B0AF4EED8272A9B737F17EF9EE95E59E6915C5C48015A4C057D04BBF46269115
  • Valid until: 2032/10/06
  • Status: ✅ ACTIVE
  • Issued by: Bancontact TEST Authorization and Scheme Services subCA R1
  • Certificate Revocation List: 1
  • OCSP responder: http://ocsp.pki.bancontact.net
  • der, pem, txt, der-chain, pem-chain, txt-chain

• Bancontact Acceptance Directory Server (RSA 4096, CN=Bancontact DS SDK, O=Bancontact Payconiq Company NV - BE0675.984.882, L=Brussels, C=BE, Role=Directory Server, Role=3DSv2 DS, UID=999999)

  • Thumbprint (SHA1): AD03705148A115E4C4649991AEF7A7059FF6D99F
  • Thumbprint (SHA256): 65EE015D0B932D39D540855043605CCC8948FDECC1D58550B890E3CF3943EBA4
  • Valid until: 2032/09/22
  • Status: ❌ REVOKED
  • Issued by: Bancontact TEST Authorization and Scheme Services subCA R1
  • Certificate Revocation List: 1
  • OCSP responder: http://ocsp.pki.bancontact.net
  • der, pem, txt, der-chain, pem-chain, txt-chain