On this page
- What Is a QWAC and Why Canada Needs Its Own Infrastructure
- Who We Are
- The Regulatory Context We Operate In
- What We Issue
- Our Validation Process
- Technical Specifications
- Why Not Use a Large Commercial CA
- Sectors We Work With
QWAC.CA is a Canadian certificate authority focused on a narrow and technically demanding segment: qualified web authentication certificates (QWACs) for financial institutions, fintech companies, and regulated digital services. We do not sell generic SSL. We work with organizations that operate under compliance frameworks where the identity of the web endpoint must be cryptographically verifiable and legally recognized.

What Is a QWAC and Why Canada Needs Its Own Infrastructure
A Qualified Web Authentication Certificate (QWAC) is a specific type of TLS certificate defined under the eIDAS regulation in the European Union and increasingly referenced in open banking and digital identity frameworks globally. A QWAC does more than encrypt the connection between a browser and a server. It binds the legal identity of the organization to the certificate itself, making it machine-readable and auditable.
Canada's open banking framework, which moved into active regulatory implementation between 2024 and 2026, created a specific gap: financial institutions needed certificates that could satisfy both domestic compliance requirements and cross-border interoperability with EU-based PSD2 infrastructure. Generic certificates issued by commercial CAs do not carry the legal weight or the structured identity fields required for these use cases.
Key differences between a standard TLS certificate and a QWAC:
| Feature | Standard TLS (DV/OV) | QWAC |
|---|---|---|
| Identity validation | Domain or organization name | Legal entity with jurisdiction-specific verification |
| Regulatory recognition | None | eIDAS, PSD2, open banking frameworks |
| Machine-readable identity fields | Limited | Structured: LEI, NCA registration, role type |
| Certificate policy OID | Generic | Qualified trust service OID |
| Audit trail | Log only | Linked to trust service provider registry |
| Use case | General HTTPS | Regulated API authentication, open banking, fintech |
Who We Are
QWAC.CA was built by a team with backgrounds in PKI architecture, financial regulatory compliance, and Canadian federal identity policy. The founding perspective was specific: the commercial certificate market is not structured to serve regulated financial services in Canada. Large CAs treat compliance certificates as a product variant. We treat them as the primary engineering and legal challenge.
The team includes:
- PKI architects with experience in ETSI EN 319 411-2 (the European standard for qualified certificate issuance)
- Compliance specialists familiar with OSFI guidelines, FINTRAC registration requirements, and Canada's Consumer-Driven Banking Act
- Integration engineers who have worked directly with open banking API gateways in the EU and UK
We are not a reseller. We operate our own certificate authority infrastructure, maintain our own certificate policy documents, and handle the validation process internally.
The Regulatory Context We Operate In
Canada's digital identity and open banking landscape shifted substantially between 2023 and 2026. Three regulatory developments directly affect demand for qualified certificates:
Consumer-Driven Banking Act (Bill C-69, enacted 2024) This legislation formalized open banking in Canada, requiring accredited data recipients and data holders to use standardized, verifiable digital identities when exchanging consumer financial data. The technical specifications reference certificate-based authentication at the API layer.
OSFI Digital Risk Guidelines (updated 2025) The Office of the Superintendent of Financial Institutions updated its B-13 Technology and Cyber Risk Management guideline to include stronger requirements for endpoint authentication in inter-institutional data flows. Certificates with validated organizational identity are now an explicit expectation, not just a best practice.
Cross-border fintech operations Canadian fintech companies accessing EU markets under PSD2 or partnering with UK open banking participants need certificates that comply with eIDAS qualified certificate standards. A certificate issued by a domestic commercial CA without qualified status will not satisfy these requirements.
What We Issue
QWAC.CA issues three certificate types, each mapped to a specific regulatory and technical use case:
1. QWAC for Open Banking API Authentication Used by accredited financial institutions and third-party providers to authenticate at the API gateway level. Carries the Legal Entity Identifier (LEI), registration number with the relevant NCA or FCAC, and role designation (AISP, PISP, or ASPSP under PSD2 terminology, adapted for Canadian framework equivalents).
2. QWAC for Cross-Border Interoperability Issued under ETSI EN 319 412-5 specifications for organizations that need EU/UK recognition in addition to Canadian compliance. These certificates are recognized by eIDAS trust lists and can be used in PSD2-compliant environments without re-issuance.
3. Website Authentication Certificates with Enhanced Identity (eWAC) For Canadian organizations that need stronger identity binding than OV certificates provide, but do not require full qualified status. These certificates include verified LEI and organizational role fields and are suitable for regulated financial service websites, investor portals, and credit union member authentication.
Our Validation Process
Certificate issuance is not automated. Every request goes through a structured validation workflow:
- Legal entity verification — We confirm registration with the relevant provincial or federal registry. For federally regulated institutions, this includes cross-referencing OSFI's FRFI list.
- LEI verification — We confirm the applicant's Legal Entity Identifier is active in the GLEIF database.
- Regulatory status check — For open banking participants, we verify accreditation status with the Financial Consumer Agency of Canada (FCAC) or equivalent.
- Domain control verification — Standard DNS or file-based DCV, consistent with CA/Browser Forum baseline requirements.
- Certificate policy review — We review the intended use case to ensure the correct certificate type and extensions are applied.
Typical issuance time: 3 to 7 business days for first-time applicants. Renewals for existing validated entities: 1 to 2 business days.
Technical Specifications
Our certificates are issued from a root and intermediate CA hierarchy that is:
- Audited annually under WebTrust for CAs and WebTrust for Qualified Certificates (adapted from ETSI EN 319 411-2 criteria)
- Included in the Microsoft and Mozilla root programs for standard TLS trust
- Registered with GLEIF as a Qualified VLEI Issuer for Legal Entity Identifier-linked credentials
Certificate parameters:
| Parameter | Value |
|---|---|
| Key algorithm | RSA 4096 or ECDSA P-384 |
| Signature algorithm | SHA-384 |
| Maximum validity | 397 days (CA/Browser Forum limit) |
| OCSP response time | Real-time, 24/7 |
| CRL update frequency | Every 4 hours |
| CT logging | All certificates logged to public CT logs |
Why Not Use a Large Commercial CA
This is a fair question. Sectigo, GlobalSign, and DigiCert all issue certificates that appear similar in name. The practical differences come down to three things:
Validation depth. Large commercial CAs validate organization name and domain. They do not validate regulatory status, LEI accuracy, or NCA registration. For regulated open banking, this matters because relying parties — other banks, API gateways, regulators — need to verify not just that you are who you say you are, but that you are authorized to participate in the ecosystem.
Certificate policy specificity. Commercial QWACs from large CAs are often issued under a generic qualified CP OID that satisfies eIDAS in the EU but has no recognition in the Canadian Consumer-Driven Banking framework. Our certificates carry policy OIDs registered with the relevant Canadian trust frameworks.
Support model. When a certificate has a validation error that blocks an API integration at a major bank, the resolution timeline at a large CA's support queue is measured in days. We handle these issues directly, at the engineering level, typically within hours.
Sectors We Work With
- Schedule I and Schedule II banks
- Credit unions under federal or provincial charter
- Fintech companies registered as third-party providers under the Consumer-Driven Banking Act
- Payment service providers registered with the Bank of Canada
- Insurance companies with digital distribution channels requiring authenticated endpoints
- Canadian subsidiaries of EU financial institutions needing cross-border certificate recognition
Planning an implementation?
Keep the legal entity, domain controls and certificate lifecycle in the same review.
Discuss your use caseFrequently asked questions
Practical answers
What makes a QWAC different from an EV certificate?
An Extended Validation (EV) certificate validates the legal identity of an organization and was historically used to trigger the green address bar in browsers. That visual indicator was removed by major browsers in 2019.
Do Canadian companies need a QWAC if they only operate domestically?
Not for all use cases, but increasingly yes for open banking. The Consumer-Driven Banking Act and its technical implementation standards reference certificate-based authentication for accredited participants.
How does QWAC.CA handle certificate revocation in an emergency?
We maintain a 24/7 revocation response capability. Emergency revocation requests — for example, following a key compromise or fraudulent use — are processed within 24 hours for standard requests and within 4 hours for critical infrastructure or regulated financial institution requests.
Can QWAC.CA certificates be used for both Canadian and EU compliance simultaneously?
Yes, for organizations that need cross-border recognition. Our QWAC for Cross-Border Interoperability is issued under ETSI EN 319 412-5 and carries both the Canadian-framework policy OID and the EU qualified certificate OID.