Bancontact PKI overview

Bancontact logo

Content

Bancontact PKI hierarchy

The Bancontact PKI is split up in 6 parts which each part having it’s distinct area of usage:

List of Root Certificates (8)

The root certificates are kept offline and are only used to issue the intermediate subCA’s defined in the next section.

List of Intermediate Certificates (35)

The intermediate certificates are the ones that actually issue the end entity certificates.

Signed by BC-MC Root CA

Signed by TEST BC-MC Root CA

Signed by Bancontact Administrative Root CA

Signed by TEST Bancontact Administrative Root CA

Signed by TEST Bancontact Individual Root CA

Signed by Bancontact Individual Root CA

Signed by DEV BC-MC Root CA

Signed by DEV Bancontact Administrative Root CA

Location of Certificate Revocation Lists

Certificate revocation list files are public & available on:

OCSP Responders

For certificates issued by the following subCA’s an OCSP responder is available. This OCSP responder is available via http://ocsp.pki.bancontact.net

The list of sub CA’s which support revocation via OCSP are:

The following endpoints feature revoked & expired certificates for testing purposes:

Bancontact EMV 3DS encryption certificates

Below is the list of public SDK encryption certificates the Bancontact Directory Server uses in “Function I: 3DS SDK Encryption to DS” defined in the EMV spec.