Authentication and Certificates

Introduction

Authentication with the LHV Connect API is done through mutual TLS (mTLS), which has the following prerequisites in our case:

  • A valid customer agreement with LHV

  • A signed additional Connect agreement

  • A private connection certificate

  • Our LHV Connect certificate

The following certificates are required for authentication with the LHV Connect API.

Private Connection Certificate

The Private Connection Certificate is a certificate for the TLS protocol and it is formed as a PEM -encoded Certificate file with an associated PEM-encoded key. An example is below.

Example PEM-Encoded Certificate

example_cert.pem
-----BEGIN CERTIFICATE-----
MIIDWTCCAkGgAwIBAgIJAK5bIhXvU8pkMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEQMA4GA1UEBwwHV2VzdGVybjETMBEG
A1UECgwKQ29tcHV0ZXIgT0MxFTATBgNVBAMMDCoudGVzdC5jb20wHhcNMjAwMzIw
MDkxNjEwWhcNMjEwMzIwMDkxNjEwWjBFMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
VmlyZ2luaWExEDAOBgNVBAcMB1dlc3Rlcm4xEzARBgNVBAoMCkNvbXB1dGVyIE9D
MRUwEwYDVQQDDAxqLnRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAx0CphuGL6BZFOaFR6vmm0UBF0LcfY3ovAu9GAL75ly4G+PZyjjK99Ab
e1jqLm4BQFGZFmrJ+/qniZeXKnksHNi8TSQpw6NZ0pmPnqg+fCCNXCU15Cfb+dxV
zkvHSPMH23N/BJomJxJNfOfkHSw0GjOM

Example PEM-Encoded Key

example_key.pem
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDHQKmG4YvoFkU5
oVHq+adFARdC3H2N6LwLvRgC++ZcuBvj2co4yvfQG3tY6i5uAUBRmRZqyfv6p4mX
lyp5LBzYvE0kKcOjWdKZj56oPnwgjVwlNeQn2/ncVc5Lx0jzB9tzfwSaJicSTXzn
5B0sNBozjFj/ZPm+BkLQH06TQd6E7qgRr5kKOTvZK9Y14OplI7Y46mLQyA39Yi2p
mf5kX9C1rgdFio2LX18h5WZpUlbEvxIjxQIDAQABAoIBAASvxJ3nL2l/CIFGq3t
Pl0K1kl9T3xkKkQl5+sh2p5JyVOig9FKuGncFbH5jCE0YHmgWf2b8sLvhHN0L8B9
GJz97Lr90ySMqQaWdjC0HdR5P93k8w0zQCRDz9Y6r9FDL+Q0eIGBf2VnfDPUO35S
aJ+hZCS0jp92CUooy7lz2yq3mxtNmKfJqTfTgJ/kiDTkzWugH2T7Vbl3GYm0HesY
+jE3z+9QAdyV66C/Uu64efG89xH53cF66+n7D0aQZJ9XsHAErqoVS0G7UawYzpeQ
9T40A36uLOgkHl61lUxscV3zPwGg+9uyUy1fUDIe/Q28mbkKf0OzJXxUq+5NojhR
E1BVAECgYEA8/Koq3NMr6cERfvU6kMqQpX23YtGB1AjLzd3bcNv2LdI7bBvZpGdF
jv+mPzJc+oQQ3cY+Fr4xxzPlK02O98aKcVPIzUPxu0jP+gCrmtrEadNle9fZQ4Ef
L2sRKE9cOy2W5uQRPubmYAcJftd6QAmUg/kSPBnAVxRhkGgJcVh+FdUCgYEAz4k8
oD0JrJ6A0Lv+uyPCpKo0oQ1m2WnqFsTbJ1Kw2BC71Yb3YcT4P3CmcPH9jxP0RfJj
h5L8A9lE/SbRIG1Vd1yXXrUqCp7S2ys/h2D3H/j6D7uH5nZw3i+oKjBw6FOnuOwK
s9hRT2y4iQVuZ69ZACt+M1oCgYBWTvZsHAEs5wVVurIiZKf2fXXj9cYv1zJXZu2z
r6xTjCsbDcj9LsCljR+g4FeU4fyVunKVY+p3ZgrvMfuKRpuHcW3/w2A9bV2Fc8YJ
I9djV4Cfb+eehCQSLPPqWUOJ30soP6oSZaOX2e7V5ET0Ne+GwHPGYZ57c3fsH9iS
gOqe4QKBgQCc6m1t+KBRXgG7uO2vD/1o+nN7RjVl6dVXs/ovxk51o+iE8wZvGqWZ
eCVsO3TrVEiMIuaFUVbR1T9//hXUq6c2c/brVMyvP7U7QypShCgq1tXpazg20XDC
JF94DVo0kHbbP6YnRZCz/69s4fRY5vPd8jYUCnEQDPhoBHoXcCJW7A==
-----END PRIVATE KEY-----

Purpose

The connection certificate identifies and confirms on the transport layer that messages were sent by a known customer's integration.

Creation

  1. LHV sends the customer necessary instructions for generating the certificate request file (request.csr) and certificate key. Only the customer itself is the owner of the key and responsible for storing it securely.

  2. Customer sends the request file to Connect support team at connect@lhv.com

  3. Our support team sends back the actual certificate. \

New LHV UK issued Certificates and Certificate Authority

We are currently moving to a new LHV UKowned Certificate Authority, the root certificates for which can be found below. Customers will be instructed on when the below root certificates should be used.

LHV Connect Prelive Root Certificate

LHV Connect Production Root Certificate

Public Root Certificate for connect.lhv.com

The Public Root Certificate gives the customer the security that they are communicating with the correct service. We use DigiCert as the root CA.

Our current Connect host root certificate is DigiCert Global Root G2:

PreviousConnect FundamentalsNextEnvironments

Last updated